CVE-2024-28766

Low

Published: 27 January 2025

Published

27 January 2025

Modified

14 July 2025

KEV Added

—

Patch

—

CVSS Score 2.4 CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

EPSS Score 0.0009 26.0th percentile

Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-28766 is a low-severity Exposure of Information Through Directory Listing (CWE-548) vulnerability in Ibm Security Directory Integrator. Its CVSS base score is 2.4 (Low).

Operationally, ranked at the 26.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the software flaw in IBM Security Directory Integrator that causes disclosure of sensitive directory contents information.

AU-13 Monitoring for Information Disclosure good match

detect

Specifically monitors the system for unauthorized disclosure of sensitive information such as directory contents leaked by this CVE.

AC-6 Least Privilege partial match

prevent

Enforces least privilege to restrict high-privilege (PR:H) access required to exploit the directory contents disclosure on adjacent networks.

NVD Description

IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 could disclose sensitive information about directory contents that could aid in further attacks against the system.

Deeper analysisAI

CVE-2024-28766 affects IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0, where the software could disclose sensitive information about directory contents. This information exposure vulnerability, mapped to CWE-548, carries a CVSS v3.1 base score of 2.4 (AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N) and was published on 2025-01-27.

Attackers with high privileges (PR:H) on an adjacent network (AV:A) can exploit this with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables low-impact confidentiality disclosure (C:L) of directory contents, which could aid in further attacks against the system, without affecting integrity or availability.

IBM provides details on the vulnerability and mitigation in its security advisory at https://www.ibm.com/support/pages/node/7161444.

Details

CWE(s): CWE-548

Affected Products

ibm

security directory integrator

7.2.0

ibm

security verify directory integrator

10.0.0

CVEs Like This One

CVE-2024-56340Same vendor: Ibm

CVE-2024-43187Same vendor: Ibm

CVE-2025-0162Same vendor: Ibm

CVE-2025-14480Same vendor: Ibm

CVE-2024-25034Same vendor: Ibm

CVE-2024-39750Same vendor: Ibm

CVE-2024-49352Same vendor: Ibm

CVE-2025-3320Same vendor: Ibm

CVE-2025-13689Same vendor: Ibm

CVE-2025-36376Same vendor: Ibm

References

https://www.ibm.com/support/pages/node/7161444
Vendor Advisory · psirt@us.ibm.com