Cyber Resilience

CVE-2024-40693

High

Published: 24 January 2025

Published
24 January 2025
Modified
05 March 2025
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0016 36.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-40693 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Ibm Planning Analytics. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).

Deeper analysis

IBM Planning Analytics versions 2.0 and 2.1 are affected by CVE-2024-40693, a vulnerability stemming from inadequate validation of file content uploaded through the web interface. This unrestricted upload of files with dangerous types, mapped to CWE-434, enables attackers to introduce malicious executable files into the system. The issue carries a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.

Exploitation requires an authenticated attacker with low privileges (PR:L) to access the web interface over the network. The attacker can upload malicious executable files with low complexity, though it demands user interaction from a victim (UI:R). Once uploaded, these files can be distributed to other users, facilitating further attacks such as malware execution on victim systems.

IBM has issued a security advisory at https://www.ibm.com/support/pages/node/7168387, which provides details on the vulnerability and recommended mitigations or patches for affected versions.

EU & UK References

Vulnerability details

IBM Planning Analytics 2.0 and 2.1 could be vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface. Attackers can make use of this weakness and upload malicious executable files into the…

more

system, and it can be sent to victim for performing further attacks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Unrestricted file upload via web interface directly enables remote exploitation of public-facing app (T1190) to ingress malicious executables (T1105) that lead to user execution (T1204.002).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-25034Same product: Ibm Planning Analytics
CVE-2024-39752Same vendor: Ibm
CVE-2025-13689Same vendor: Ibm
CVE-2025-33015Same vendor: Ibm
CVE-2023-49886Same vendor: Ibm
CVE-2024-39750Same vendor: Ibm
CVE-2026-9170Same vendor: Ibm
CVE-2026-8175Same vendor: Ibm
CVE-2026-7876Same vendor: Ibm
CVE-2024-22348Same vendor: Ibm

Affected Assets

ibm
planning analytics
2.0, 2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation of file content uploaded through the web interface, mitigating the core vulnerability of inadequate content checks for malicious executables.

preventdetect

Implements malicious code protection to scan and prevent execution of uploaded dangerous executable files within the system.

prevent

Restricts upload of dangerous file types like executables to the web interface, reducing the risk of malicious files being introduced.

References