Cyber Posture

CVE-2024-2374

High

Published: 16 April 2026

Published
16 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0001 3.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-2374 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Wso2 Api Manager. Its CVSS base score is 7.5 (High).

Operationally, ranked at the 3.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation of user-supplied XML inputs to block external entity resolution and prevent exploitation for file reads or DoS.

CM-6 Configuration Settings good match
prevent

Ensures XML parsers in WSO2 products are configured securely to disable external entity processing, addressing the root cause of the vulnerability.

SI-2 Flaw Remediation good match
prevent

Mandates timely flaw remediation through patching or updates as specified in the WSO2 advisory to eliminate the XXE vulnerability.

NVD Description

The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of…

more

external resources. By leveraging this vulnerability, an attacker can read confidential files from the file system and access limited HTTP resources reachable by the product. Additionally, the vulnerability can be exploited to perform denial of service attacks by exhausting server resources through recursive entity expansion or fetching large external resources.

Deeper analysisAI

CVE-2024-2374 is an XML External Entity (XXE) vulnerability, classified under CWE-611, affecting the XML parsers in multiple WSO2 products. These parsers accept user-supplied XML data without proper configuration to prevent the resolution of external entities. Published on 2026-04-16, the flaw has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility, low attack complexity, and no privileges required.

Remote attackers without authentication can exploit this vulnerability by crafting malicious XML payloads submitted to the affected products. Successful exploitation enables reading confidential files from the server's file system, accessing limited HTTP resources reachable by the product, or conducting denial-of-service attacks through recursive entity expansion or fetching large external resources, thereby exhausting server resources.

For mitigation details, refer to the WSO2 security advisory at https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3255/.

Details

CWE(s)
CWE-611

Affected Products

wso2
api manager
3.1.0 — 3.1.0.278 · 3.2.0 — 3.2.0.368 · 4.0.0 — 4.0.0.280
wso2
identity server
5.10.0 — 5.10.0.300 · 5.11.0 — 5.11.0.329 · 6.0.0 — 6.0.0.179
wso2
identity server as key manager
5.10.0 — 5.10.0.296
wso2
open banking am
2.0.0 — 2.0.0.328
wso2
open banking iam
2.0.0 — 2.0.0.348

CVEs Like This One

CVE-2025-10713Same product: Wso2 Api Manager
CVE-2024-8010Same product: Wso2 Api Manager
CVE-2025-10907Same product: Wso2 Api Manager
CVE-2025-10611Same product: Wso2 Api Manager
CVE-2024-1524Same product: Wso2 Api Manager
CVE-2025-12107Same product: Wso2 Identity Server
CVE-2025-13590Same product: Wso2 Api Manager
CVE-2025-11093Same product: Wso2 Api Manager
CVE-2025-61821Shared CWE-611
CVE-2025-0162Shared CWE-611

References