Ivanti EPM XML Entity Vulnerability
CVE-2024-37397

8.2HIGH

Key Information:

Vendor: Ivanti
Status: Epm
Vendor: CVE Published:; 12 September 2024

Summary

The vulnerability pertains to an External XML Entity (XXE) flaw in the provisioning web service of Ivanti Endpoint Manager (EPM). This issue can be exploited by remote unauthenticated attackers, leading to the potential exposure of sensitive API secrets. The vulnerability affects all versions of Ivanti EPM prior to the 2022 SU6 and the updated version from September 2024, highlighting the critical need for immediate remediation.

Affected Version(s)

EPM 2024 September Security Update

EPM 2022 SU6

References

https://forums.ivanti.com/s/article/Security-Advisory-EPM...

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 12, 2024
Vulnerability Reserved
Jun 8, 2024