CVE-2020-4428
Published: 07 May 2020
Summary
CVE-2020-4428 is a critical-severity OS Command Injection (CWE-78) vulnerability in Ibm Data Risk Manager. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Deeper analysis
IBM Data Risk Manager versions 2.0.1, 2.0.2, 2.0.3, and 2.0.4 contain a command injection vulnerability tracked as CVE-2020-4428 and CWE-78. The flaw permits execution of arbitrary commands on the underlying system and carries a CVSS 3.1 base score of 9.1 reflecting network attack vector, low complexity, and high impact across confidentiality, integrity, and availability with changed scope.
A remote attacker who has already authenticated with high privileges can exploit the issue to run arbitrary operating-system commands, resulting in full control over the affected IBM Data Risk Manager instance and any data or resources it manages. No information on patches, workarounds, or real-world exploitation activity is supplied in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-25675
Vulnerability details
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to execute arbitrary commands on the system. IBM X-Force ID: 180533.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the command-injection payload (CWE-78) by validating all user-supplied input before it reaches the OS command interpreter.
Limits the high privileges required by the attacker, reducing the ability to execute arbitrary OS commands even after authentication.
Restricts the system to only essential functions and disables unnecessary command interpreters or utilities that the injection would otherwise abuse.