A high-severity security vulnerability has been identified in the /iam/im/wpClientServletcode. An unauthenticated attacker can send a specifically crafted XML payload via a POST request to this servlet, allowing for:

• Unauthorized File Disclosure: Reading sensitive underlying system files and folder structures (e.g., /etc/, /home/).
• Network Scanning: Scanning for open ports on the local or connected systems.
• System Interaction: Accessing functionalities of connected systems that are otherwise restricted.

Confirmed Behavior: Engineering has validated that a POST request to this endpoint can return Linux server folder details directly in the response.

Product: CA Identity Manager
Version: 14.5.1 CHF1

The vulnerability is caused by an External Entity Injection (XXE) flaw in the XML processing logic of the wpClientServlet. The application fails to properly disable or sanitize external entity references within the XML message body.

Broadcom Engineering has developed a permanent fix in collaboration with the Workpoint team under defect DE632145.

Scheduled Fix: The remediation is officially included in Identity Manager 14.5.1 Cumulative Hotfix 2 (CHF2), tentatively scheduled for release during the week of 30 MAR 2026. Customers are advised to upgrade to CHF2 as soon as it is available.

Mitigation: Until CHF2 is applied, it is recommended to:

1. Block external access to the /iam/im/wpClientServlet URL at the Web Application Firewall (WAF), Load Balancer, or Proxy level.
2. Ensure strict network segmentation to prevent unauthenticated access to the Identity Manager application server.