CVE-2024-40693

High

Published: 24 January 2025

Published

24 January 2025

Modified

05 March 2025

KEV Added

—

Patch

—

CVSS Score 8.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0016 36.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-40693 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Ibm Planning Analytics. Its CVSS base score is 8.0 (High).

Operationally, ranked at the 36.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly enforces validation of file content uploaded through the web interface, mitigating the core vulnerability of inadequate content checks for malicious executables.

SI-3 Malicious Code Protection good match

preventdetect

Implements malicious code protection to scan and prevent execution of uploaded dangerous executable files within the system.

SI-9 Information Input Restrictions partial match

prevent

Restricts upload of dangerous file types like executables to the web interface, reducing the risk of malicious files being introduced.

NVD Description

IBM Planning Analytics 2.0 and 2.1 could be vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface. Attackers can make use of this weakness and upload malicious executable files into the…

system, and it can be sent to victim for performing further attacks.

Deeper analysisAI

IBM Planning Analytics versions 2.0 and 2.1 are affected by CVE-2024-40693, a vulnerability stemming from inadequate validation of file content uploaded through the web interface. This unrestricted upload of files with dangerous types, mapped to CWE-434, enables attackers to introduce malicious executable files into the system. The issue carries a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.

Exploitation requires an authenticated attacker with low privileges (PR:L) to access the web interface over the network. The attacker can upload malicious executable files with low complexity, though it demands user interaction from a victim (UI:R). Once uploaded, these files can be distributed to other users, facilitating further attacks such as malware execution on victim systems.

IBM has issued a security advisory at https://www.ibm.com/support/pages/node/7168387, which provides details on the vulnerability and recommended mitigations or patches for affected versions.

Details

CWE(s): CWE-434

Affected Products

ibm

planning analytics

2.0, 2.1

CVEs Like This One

CVE-2024-25034Same product: Ibm Planning Analytics

CVE-2024-39752Same vendor: Ibm

CVE-2025-13689Same vendor: Ibm

CVE-2025-33015Same vendor: Ibm

CVE-2024-49352Same vendor: Ibm

CVE-2025-36070Same vendor: Ibm

CVE-2023-49886Same vendor: Ibm

CVE-2026-0977Same vendor: Ibm

CVE-2026-1343Same vendor: Ibm

CVE-2023-38010Same vendor: Ibm

References

https://www.ibm.com/support/pages/node/7168387
Vendor Advisory · psirt@us.ibm.com