Cyber Posture

CVE-2024-54171

High

Published: 06 February 2025

Published
06 February 2025
Modified
07 July 2025
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
EPSS Score 0.0003 8.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-54171 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Ibm Entirex. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

SI-2 requires timely identification, reporting, and correction of flaws like CVE-2024-54171 through patching as advised by IBM.

SI-10 Information Input Validation good match
prevent

SI-10 mandates validation of XML inputs to block external entity injection and prevent sensitive information disclosure or resource exhaustion.

CM-6 Configuration Settings good match
prevent

CM-6 enforces secure configuration settings for XML parsers in IBM EntireX to disable external entity processing and mitigate XXE.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
Why these techniques?

XXE flaw (CWE-611) directly enables remote exploitation of the application for data access (T1190) and local file/system data retrieval (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

IBM EntireX 11.1 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. An authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

Deeper analysisAI

IBM EntireX 11.1 is vulnerable to CVE-2024-54171, an XML external entity (XXE) injection flaw classified under CWE-611. This vulnerability arises during the processing of XML data, enabling potential injection of external entities that could lead to unauthorized data access or resource exhaustion.

An authenticated attacker with low privileges (PR:L) can exploit this issue remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation yields high confidentiality impact through sensitive information disclosure, alongside low availability impact via memory resource consumption, without affecting integrity or scope (S:U), as reflected in the CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L).

IBM has issued a security advisory at https://www.ibm.com/support/pages/node/7182693, published on 2025-02-06, which provides details on the vulnerability and recommended mitigation actions.

Details

CWE(s)
CWE-611

Affected Products

ibm
entirex
11.1

CVEs Like This One

CVE-2024-49781Same product: Linux Linux Kernel
CVE-2024-52363Same product: Linux Linux Kernel
CVE-2025-14974Same product: Linux Linux Kernel
CVE-2024-49779Same product: Linux Linux Kernel
CVE-2026-1567Same vendor: Ibm
CVE-2025-13916Same product: Linux Linux Kernel
CVE-2024-41766Same product: Linux Linux Kernel
CVE-2024-49782Same product: Linux Linux Kernel
CVE-2025-0162Same vendor: Ibm
CVE-2024-41767Same product: Linux Linux Kernel

References