CVE-2024-22024

CVE Database · CVE-2024-22024

CVE-2024-22024

· HIGHModified

CVSS v3.1

8.3

EPSS

94.72%

Published

Feb 13, 2024

Modified

Oct 31, 2025

Public PoC / Exploit (2)

All weaponized →

NucleiNuclei detection template TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Weaknesses (CWE)

CWE-611CWE-611

Affected Products (8)

ivanti · connect_securevulnerable

ivanti · policy_securevulnerable

ivanti · zero_trust_access_gatewayvulnerable

References (2)

https://forums.ivanti.com/s/article/CVE-2024-22024-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US

Vendor Advisory

https://forums.ivanti.com/s/article/CVE-2024-22024-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US

Vendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs