Cyber Resilience

CVE-2024-28766

Low

Published: 27 January 2025

Published
27 January 2025
Modified
14 July 2025
KEV Added
Patch
CVSS Score v3.1 2.4 CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0009 26.2th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-28766 is a low-severity Exposure of Information Through Directory Listing (CWE-548) vulnerability in Ibm Security Directory Integrator. Its CVSS base score is 2.4 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 26.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-28766 affects IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0, where the software could disclose sensitive information about directory contents. This information exposure vulnerability, mapped to CWE-548, carries a CVSS v3.1 base score of 2.4 (AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N) and was published on 2025-01-27.

Attackers with high privileges (PR:H) on an adjacent network (AV:A) can exploit this with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables low-impact confidentiality disclosure (C:L) of directory contents, which could aid in further attacks against the system, without affecting integrity or availability.

IBM provides details on the vulnerability and mitigation in its security advisory at https://www.ibm.com/support/pages/node/7161444.

EU & UK References

Vulnerability details

IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 could disclose sensitive information about directory contents that could aid in further attacks against the system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Vulnerability directly enables unauthorized disclosure of sensitive directory contents from the local system (information exposure per CWE-548), mapping to data collection from the compromised host.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-0977Same vendor: Ibm
CVE-2025-13108Same vendor: Ibm
CVE-2025-1722Same vendor: Ibm
CVE-2025-0162Same vendor: Ibm
CVE-2026-4788Same vendor: Ibm
CVE-2025-14923Same vendor: Ibm
CVE-2024-41771Same vendor: Ibm
CVE-2024-31896Same vendor: Ibm
CVE-2026-1567Same vendor: Ibm
CVE-2024-45652Same vendor: Ibm

Affected Assets

ibm
security directory integrator
7.2.0
ibm
security verify directory integrator
10.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the software flaw in IBM Security Directory Integrator that causes disclosure of sensitive directory contents information.

detect

Specifically monitors the system for unauthorized disclosure of sensitive information such as directory contents leaked by this CVE.

prevent

Enforces least privilege to restrict high-privilege (PR:H) access required to exploit the directory contents disclosure on adjacent networks.

References