Cyber Resilience

CVE-2024-40702

High

Published: 07 January 2025

Published
07 January 2025
Modified
03 July 2025
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0013 31.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-40702 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Ibm Cognos Controller. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-17 (Public Key Infrastructure Certificates).

Deeper analysis

CVE-2024-40702 affects IBM Cognos Controller versions 11.0.0 through 11.0.1 and IBM Controller 11.1.0 due to improper certificate validation (CWE-295). This vulnerability enables an unauthorized user to obtain valid tokens, granting access to protected resources. It has a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high severity with network accessibility, low attack complexity, and no prerequisite privileges or user interaction.

An attacker requires no authentication to exploit this flaw remotely. By leveraging the improper certificate validation, they can acquire legitimate tokens to access sensitive protected resources, resulting in high confidentiality impact through unauthorized data exposure and low integrity impact, potentially allowing limited data tampering, with no availability disruption.

IBM provides details and mitigation guidance in its security advisory at https://www.ibm.com/support/pages/node/7179163.

EU & UK References

Vulnerability details

IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow an unauthorized user to obtain valid tokens to gain access to protected resources due to improper certificate validation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Improper certificate validation allows unauthenticated remote attackers to obtain valid access tokens for a public-facing application, directly enabling exploitation of the exposed service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-28777Same product: Ibm Cognos Controller
CVE-2024-45084Same product: Ibm Cognos Controller
CVE-2023-47160Same product: Ibm Cognos Controller
CVE-2024-52902Same product: Ibm Cognos Controller
CVE-2026-21228Same vendor: Microsoft
CVE-2024-41763Same product: Microsoft Windows
CVE-2024-41767Same product: Microsoft Windows
CVE-2026-8855Same product: Microsoft Windows
CVE-2024-38337Same product: Microsoft Windows
CVE-2026-8834Same product: Microsoft Windows

Affected Assets

ibm
cognos controller
11.0.0 — 11.0.1
ibm
controller
11.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-17 requires implementation of cryptographic mechanisms to validate PKI certificates, directly preventing exploitation of the improper certificate validation in CVE-2024-40702 that allows unauthorized token acquisition.

prevent

IA-5 mandates secure management of authenticators including PKI certificates, ensuring proper validation and protection against unauthorized use leading to token compromise.

prevent

SI-2 requires timely identification, reporting, and remediation of system flaws such as the certificate validation vulnerability in CVE-2024-40702, preventing unauthorized access via patching.

References