Cyber Resilience

CVE-2024-45652

Medium

Published: 19 January 2025

Published
19 January 2025
Modified
18 August 2025
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0010 27.3th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45652 is a medium-severity Path Traversal (CWE-22) vulnerability in Ibm Maximo Asset Management. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-45652 is a directory traversal vulnerability (CWE-22) affecting the IBM Maximo MXAPIASSET API in version 7.6.1.3. It enables a remote attacker to access arbitrary files on the underlying system by sending a specially crafted URL request that includes "dot dot" sequences (/../). The vulnerability has a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), indicating medium severity with high confidentiality impact but no integrity or availability disruption.

An authenticated remote attacker with low privileges (PR:L) can exploit this over the network with low attack complexity and no user interaction required. By manipulating URL parameters with path traversal sequences, the attacker can read sensitive files outside the intended directory, potentially exposing configuration data, credentials, or other system information.

IBM has published a security bulletin at https://www.ibm.com/support/pages/node/7174820 providing details on the vulnerability and available patches or remediation steps for affected Maximo deployments.

EU & UK References

Vulnerability details

IBM Maximo MXAPIASSET API 7.6.1.3 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Directory traversal in public-facing Maximo API directly enables remote file read from local system (T1005) via exploitation of the vulnerable web endpoint (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-14914Same vendor: Ibm
CVE-2026-3366Same vendor: Ibm
CVE-2025-36236Same vendor: Ibm
CVE-2025-3356Same vendor: Ibm
CVE-2024-52363Same vendor: Ibm
CVE-2026-1567Same vendor: Ibm
CVE-2025-13096Same vendor: Ibm
CVE-2025-0162Same vendor: Ibm
CVE-2025-13616Same vendor: Ibm
CVE-2024-41771Same vendor: Ibm

Affected Assets

ibm
maximo asset management
7.6.1.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates directory traversal by enforcing input validation mechanisms on MXAPIASSET API URL parameters to block or sanitize '../' sequences.

prevent

Remediates the specific CVE flaw through timely identification, testing, and application of IBM's published patches for Maximo 7.6.1.3.

detect

Monitors for information disclosure events such as unauthorized file access attempts via anomalous path traversal in API requests.

References