Cyber Resilience

CVE-2024-2374

High

Published: 16 April 2026

Published
16 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0038 29.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2024-2374 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Wso2 Api Manager. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-2374 is an XML External Entity (XXE) vulnerability, classified under CWE-611, affecting the XML parsers in multiple WSO2 products. These parsers accept user-supplied XML data without proper configuration to prevent the resolution of external entities. Published on 2026-04-16, the flaw has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility, low attack complexity, and no privileges required.

Remote attackers without authentication can exploit this vulnerability by crafting malicious XML payloads submitted to the affected products. Successful exploitation enables reading confidential files from the server's file system, accessing limited HTTP resources reachable by the product, or conducting denial-of-service attacks through recursive entity expansion or fetching large external resources, thereby exhausting server resources.

For mitigation details, refer to the WSO2 security advisory at https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3255/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of…

more

external resources. By leveraging this vulnerability, an attacker can read confidential files from the file system and access limited HTTP resources reachable by the product. Additionally, the vulnerability can be exploited to perform denial of service attacks by exhausting server resources through recursive entity expansion or fetching large external resources.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

XXE in public-facing WSO2 XML parsers directly enables remote unauthenticated exploitation for file disclosure and resource exhaustion (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-10713Same product: Wso2 Api Manager
CVE-2025-10611Same product: Wso2 Api Manager
CVE-2024-8010Same product: Wso2 Api Manager
CVE-2025-10907Same product: Wso2 Api Manager
CVE-2024-1524Same product: Wso2 Api Manager
CVE-2025-13590Same product: Wso2 Api Manager
CVE-2025-65482Shared CWE-611
CVE-2024-49352Shared CWE-611
CVE-2024-56322Shared CWE-611
CVE-2026-3603Shared CWE-611

Affected Assets

wso2
api manager
3.1.0 — 3.1.0.278 · 3.2.0 — 3.2.0.368 · 4.0.0 — 4.0.0.280
wso2
identity server
5.10.0 — 5.10.0.300 · 5.11.0 — 5.11.0.329 · 6.0.0 — 6.0.0.179
wso2
identity server as key manager
5.10.0 — 5.10.0.296
wso2
open banking am
2.0.0 — 2.0.0.328
wso2
open banking iam
2.0.0 — 2.0.0.348

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user-supplied XML inputs to block external entity resolution and prevent exploitation for file reads or DoS.

prevent

Ensures XML parsers in WSO2 products are configured securely to disable external entity processing, addressing the root cause of the vulnerability.

prevent

Mandates timely flaw remediation through patching or updates as specified in the WSO2 advisory to eliminate the XXE vulnerability.

References