Cyber Resilience

CVE-2024-41766

High

Published: 04 January 2025

Published
04 January 2025
Modified
21 March 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0012 30.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-41766 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Ibm Engineering Lifecycle Optimization Publishing. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 30.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-41766 is a denial-of-service vulnerability affecting IBM Engineering Lifecycle Optimization - Publishing versions 7.0.2 and 7.0.3. The flaw, classified under CWE-1333, arises from the use of a complex regular expression that can be exploited to consume excessive resources, leading to service disruption. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its potential for significant availability impact without requiring authentication or user interaction.

A remote attacker can exploit this vulnerability over the network with low complexity and no privileges by sending a specially crafted request containing a complex regular expression. Successful exploitation results in a denial of service, potentially crashing the affected service or rendering it unresponsive, though it does not enable data exfiltration, modification, or privilege escalation.

IBM has published a security advisory at https://www.ibm.com/support/pages/node/7180203 providing details on the vulnerability and available patches or workarounds for mitigation. Security practitioners should review the advisory for version-specific remediation steps to protect affected deployments.

EU & UK References

Vulnerability details

IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 could allow a remote attacker to cause a denial of service using a complex regular expression.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

ReDoS vulnerability in public-facing app directly enables application-layer DoS via crafted input (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-41763Same product: Ibm Engineering Lifecycle Optimization Publishing
CVE-2024-41767Same product: Ibm Engineering Lifecycle Optimization Publishing
CVE-2026-8850Same product: Linux Linux Kernel
CVE-2026-6051Same product: Linux Linux Kernel
CVE-2026-8835Same product: Linux Linux Kernel
CVE-2026-8854Same product: Linux Linux Kernel
CVE-2026-8852Same product: Linux Linux Kernel
CVE-2026-6052Same product: Linux Linux Kernel
CVE-2026-42899Same product: Linux Linux Kernel
CVE-2024-49779Same product: Linux Linux Kernel

Affected Assets

ibm
engineering lifecycle optimization publishing
7.0.2, 7.0.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely remediation of the known ReDoS flaw through patching as advised by IBM.

prevent

Provides comprehensive protection against denial-of-service attacks like resource exhaustion from complex regular expressions.

prevent

Enforces validation of inputs to block specially crafted complex regular expressions that trigger excessive resource consumption.

References