CVE-2024-35148

Medium

Published: 25 January 2025

Published

25 January 2025

Modified

08 July 2025

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0017 38.2th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-35148 is a medium-severity SQL Injection (CWE-89) vulnerability in Ibm Maximo Application Suite. Its CVSS base score is 6.3 (Medium).

Operationally, ranked at the 38.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 requires validation of all information inputs, directly preventing SQL injection by rejecting specially crafted malicious SQL statements in the Monitor Component.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely remediation of flaws, such as applying IBM's patches specifically issued for this SQL injection vulnerability in Maximo Application Suite.

SI-9 Information Input Restrictions partial match

prevent

SI-9 restricts the types and quantities of information inputs, limiting the ability of attackers to submit oversized or malformed SQL payloads to the vulnerable Monitor Component.

NVD Description

IBM Maximo Application Suite 8.10.10, 8.11.7, and 9.0 - Monitor Component is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end…

database.

Deeper analysisAI

CVE-2024-35148 is a SQL injection vulnerability (CWE-89) in the Monitor Component of IBM Maximo Application Suite versions 8.10.10, 8.11.7, and 9.0. Published on 2025-01-25, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity with network accessibility, low attack complexity, and requirements for low privileges.

A remote attacker with low-privileged access could exploit this vulnerability by sending specially crafted SQL statements to the affected Monitor Component. Successful exploitation would allow the attacker to view, add, modify, or delete information in the back-end database, resulting in limited impacts to confidentiality, integrity, and availability.

IBM has issued a security advisory at https://www.ibm.com/support/pages/node/7174952, which provides details on the vulnerability and recommended mitigation steps, including available patches for the affected versions.

Details

CWE(s): CWE-89

Affected Products

ibm

maximo application suite

8.10.10, 8.11.7, 9.0

CVEs Like This One

CVE-2025-36386Same product: Ibm Maximo Application Suite

CVE-2025-13379Same vendor: Ibm

CVE-2025-36368Same vendor: Ibm

CVE-2023-50316Same vendor: Ibm

CVE-2025-13214Same vendor: Ibm

CVE-2025-36070Same vendor: Ibm

CVE-2023-49886Same vendor: Ibm

CVE-2026-1343Same vendor: Ibm

CVE-2026-1345Same vendor: Ibm

CVE-2025-36072Same vendor: Ibm

References

https://www.ibm.com/support/pages/node/7174952
Vendor Advisory · psirt@us.ibm.com