CVE-2024-25034
Published: 24 January 2025
Summary
CVE-2024-25034 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Ibm Planning Analytics. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).
Deeper analysis
CVE-2024-25034 affects IBM Planning Analytics 2.0 and 2.1, specifically in the File Manager T1 process, where insufficient validation of uploaded file types enables malicious file uploads. This vulnerability, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), carries a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) and was published on 2025-01-24.
Attackers with low-privileged access (PR:L) can exploit this remotely over the network (AV:N) with low complexity (AC:L), though it requires user interaction (UI:R). Exploitation allows uploading malicious executable files to the system, which can then be sent to victims to enable further attacks, achieving high impacts on confidentiality, integrity, and availability.
IBM's security advisory provides details on the vulnerability and mitigation, available at https://www.ibm.com/support/pages/node/7168387.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-22396
Vulnerability details
IBM Planning Analytics 2.0 and 2.1 could be vulnerable to malicious file upload by not validating the type of file in the File Manager T1 process. Attackers can make use of this weakness and upload malicious executable files into the…
more
system that can be sent to victims for performing further attacks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload (CWE-434) in public-facing IBM Planning Analytics directly enables exploitation of the application for malicious file ingress and malware staging.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of information inputs like uploaded files to ensure only safe file types are accepted in the File Manager T1 process, addressing the lack of type validation.
Enforces restrictions on system information inputs to block unauthorized file types such as malicious executables during uploads.
Implements malicious code protection to scan and prevent execution or propagation of uploaded dangerous files even if initial validation is bypassed.