Cyber Posture

CVE-2024-43169

High

Published: 03 March 2025

Published
03 March 2025
Modified
07 March 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0010 27.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-43169 is a high-severity Download of Code Without Integrity Check (CWE-494) vulnerability in Ibm Engineering Requirements Management Doors Next. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 27.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires identification, reporting, and timely remediation of flaws like CVE-2024-43169, directly patching the lack of code integrity verification during downloads.

SI-7 Software, Firmware, and Information Integrity good match
preventdetect

Mandates integrity verification tools and techniques for software, firmware, and information to detect unauthorized changes, directly countering downloads without integrity checks.

SI-3 Malicious Code Protection good match
detectrespond

Deploys malicious code protection at system entry and exit points to detect and eradicate malicious files, mitigating execution of unverified downloaded code.

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
attack.mitre.org →
Why these techniques?

The vulnerability (CWE-494) involves downloading code without integrity verification, directly enabling an attacker to trick a user into downloading and executing a malicious file, leading to arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

IBM Engineering Requirements Management DOORS Next 7.0.2, 7.0.3, and 7.1 could allow a user to download a malicious file without verifying the integrity of the code.

Deeper analysisAI

IBM Engineering Requirements Management DOORS Next versions 7.0.2, 7.0.3, and 7.1 are affected by CVE-2024-43169, a vulnerability that allows a user to download a malicious file without verifying the integrity of the code. This issue, classified under CWE-494 (Download of Code Without Integrity Check), has a CVSS v3.1 base score of 8.8, indicating high severity due to its potential for significant impact.

An unauthenticated remote attacker (PR:N) with network access (AV:N) can exploit this vulnerability by tricking a user into performing an action (UI:R), such as clicking a link or downloading a file, with low attack complexity (AC:L). Successful exploitation could result in high confidentiality, integrity, and availability impacts (C:H/I:H/A:H), potentially allowing arbitrary code execution on the victim's system within an unchanged security scope (S:U).

For mitigation details, including available patches and remediation steps, refer to the IBM security bulletin at https://www.ibm.com/support/pages/node/7184506.

Details

CWE(s)
CWE-494

Affected Products

ibm
engineering requirements management doors next
7.0.2, 7.0.3, 7.1

CVEs Like This One

CVE-2024-41770Same product: Ibm Engineering Requirements Management Doors Next
CVE-2024-41771Same product: Ibm Engineering Requirements Management Doors Next
CVE-2024-56340Same vendor: Ibm
CVE-2024-43187Same vendor: Ibm
CVE-2025-0162Same vendor: Ibm
CVE-2024-28766Same vendor: Ibm
CVE-2025-14480Same vendor: Ibm
CVE-2024-25034Same vendor: Ibm
CVE-2024-39750Same vendor: Ibm
CVE-2024-49352Same vendor: Ibm

References