CVE-2024-28777

HighRCE

Published: 19 February 2025

Published

19 February 2025

Modified

25 July 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0039 60.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-28777 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Ibm Cognos Controller. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 39.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of known vulnerabilities like CVE-2024-28777 through application of vendor patches as detailed in the IBM security advisory.

SI-10 Information Input Validation good match

prevent

Enforces validation of untrusted inputs to block malicious serialized data that exploits unrestricted deserialization for arbitrary code execution.

SI-16 Memory Protection partial match

prevent

Provides memory protections such as DEP and ASLR to mitigate successful arbitrary code execution resulting from deserialization exploitation.

NVD Description

IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 is vulnerable to unrestricted deserialization. This vulnerability allows users to execute arbitrary code, escalate privileges, or cause denial of service attacks by exploiting the unrestricted deserialization of types in…

the application.

Deeper analysisAI

IBM Cognos Controller versions 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 are affected by CVE-2024-28777, an unrestricted deserialization vulnerability (CWE-502). This flaw occurs due to the application's handling of deserialized types without proper restrictions, earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Published on February 19, 2025, the vulnerability exposes the software to potential exploitation through crafted inputs.

Attackers with low-privilege authenticated access over the network can exploit this vulnerability without user interaction. Successful exploitation enables arbitrary code execution, privilege escalation, or denial-of-service conditions, potentially compromising confidentiality, integrity, and availability of the affected system.

The IBM security advisory at https://www.ibm.com/support/pages/node/7183597 details mitigation steps, including applying available patches for the impacted versions.

Details

CWE(s): CWE-502

Affected Products

ibm

cognos controller

11.0.0 — 11.0.1.4

ibm

controller

11.1.0

CVEs Like This One

CVE-2024-45084Same product: Ibm Cognos Controller

CVE-2024-40702Same product: Ibm Cognos Controller

CVE-2024-52902Same product: Ibm Cognos Controller

CVE-2023-47160Same product: Ibm Cognos Controller

CVE-2025-69276Same product: Microsoft Windows

CVE-2023-49886Same vendor: Ibm

CVE-2025-36072Same vendor: Ibm

CVE-2025-53770Same vendor: Microsoft

CVE-2026-21511Same vendor: Microsoft

CVE-2025-54897Same vendor: Microsoft

References

https://www.ibm.com/support/pages/node/7183597
Vendor Advisory · psirt@us.ibm.com