XXE in Ivanti Connect Secure/Policy Secure/ZTA SAML Component

Successful exploitation allows an unauthenticated attacker to access restricted resources exposed through the vulnerable SAML functionality. In operational contexts, this can provide initial foothold or unauthorized data/resource access on affected Ivanti appliances and may facilitate broader compromise when combined with other Ivanti flaws or post-compromise tradecraft. Reporting around the Ivanti appliance exploitation wave associates these classes of access with credential harvesting, web shell deployment, lateral movement, and in some cases full domain compromise, although those downstream outcomes are not attributable to CVE-2024-22024 alone without chaining or follow-on activity.

If immediate patching is not possible, reduce exposure of the vulnerable SAML interface as much as operationally feasible, apply any Ivanti-issued interim XML/workaround mitigations applicable to the product/version, and monitor aggressively for exploitation indicators. Assume affected appliances may be compromised if exposed and hunt for web shells, modified files, anomalous authentication artifacts, and lateral movement from the appliance into the enterprise. Restrict management access, minimize internet exposure where possible, and prepare for full credential and secret rotation. Mitigations are not a substitute for patching and recovery from a known-good state.

Apply Ivanti vendor patches for all affected product lines and versions referenced in Ivanti security bulletins. Supporting content indicates patched releases were issued across affected branches during the 2024 response period, and organizations should move to the latest fixed version available for their specific appliance/version family rather than relying on interim mitigations alone. Because Ivanti appliance compromises during this period were associated with credential theft and persistence, remediation should also include incident-response actions: validate appliance integrity with the latest Ivanti Integrity Checker Tool, rebuild or reimage from known-good images where compromise is suspected, avoid rollback to vulnerable firmware, and rotate credentials, certificates, API keys, and other secrets that may have traversed or been stored on the appliance.