CVE-2024-25034

High

Published: 24 January 2025

Published

24 January 2025

Modified

05 March 2025

KEV Added

—

Patch

—

CVSS Score 8.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0015 35.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-25034 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Ibm Planning Analytics. Its CVSS base score is 8.0 (High).

Operationally, ranked at the 35.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of information inputs like uploaded files to ensure only safe file types are accepted in the File Manager T1 process, addressing the lack of type validation.

SI-9 Information Input Restrictions good match

prevent

Enforces restrictions on system information inputs to block unauthorized file types such as malicious executables during uploads.

SI-3 Malicious Code Protection partial match

preventdetect

Implements malicious code protection to scan and prevent execution or propagation of uploaded dangerous files even if initial validation is bypassed.

NVD Description

IBM Planning Analytics 2.0 and 2.1 could be vulnerable to malicious file upload by not validating the type of file in the File Manager T1 process. Attackers can make use of this weakness and upload malicious executable files into the…

system that can be sent to victims for performing further attacks.

Deeper analysisAI

CVE-2024-25034 affects IBM Planning Analytics 2.0 and 2.1, specifically in the File Manager T1 process, where insufficient validation of uploaded file types enables malicious file uploads. This vulnerability, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), carries a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) and was published on 2025-01-24.

Attackers with low-privileged access (PR:L) can exploit this remotely over the network (AV:N) with low complexity (AC:L), though it requires user interaction (UI:R). Exploitation allows uploading malicious executable files to the system, which can then be sent to victims to enable further attacks, achieving high impacts on confidentiality, integrity, and availability.

IBM's security advisory provides details on the vulnerability and mitigation, available at https://www.ibm.com/support/pages/node/7168387.

Details

CWE(s): CWE-434

Affected Products

ibm

planning analytics

2.0, 2.1

CVEs Like This One

CVE-2024-40693Same product: Ibm Planning Analytics

CVE-2024-39752Same vendor: Ibm

CVE-2025-13689Same vendor: Ibm

CVE-2025-33015Same vendor: Ibm

CVE-2024-49352Same vendor: Ibm

CVE-2025-36070Same vendor: Ibm

CVE-2023-49886Same vendor: Ibm

CVE-2026-0977Same vendor: Ibm

CVE-2026-1343Same vendor: Ibm

CVE-2023-38010Same vendor: Ibm

References

https://www.ibm.com/support/pages/node/7168387
Vendor Advisory · psirt@us.ibm.com