CVE-2024-45652

Medium

Published: 19 January 2025

Published

19 January 2025

Modified

18 August 2025

KEV Added

—

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0007 22.2th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45652 is a medium-severity Path Traversal (CWE-22) vulnerability in Ibm Maximo Asset Management. Its CVSS base score is 6.5 (Medium).

Operationally, ranked at the 22.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates directory traversal by enforcing input validation mechanisms on MXAPIASSET API URL parameters to block or sanitize '../' sequences.

SI-2 Flaw Remediation good match

prevent

Remediates the specific CVE flaw through timely identification, testing, and application of IBM's published patches for Maximo 7.6.1.3.

AU-13 Monitoring for Information Disclosure partial match

detect

Monitors for information disclosure events such as unauthorized file access attempts via anomalous path traversal in API requests.

NVD Description

IBM Maximo MXAPIASSET API 7.6.1.3 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.

Deeper analysisAI

CVE-2024-45652 is a directory traversal vulnerability (CWE-22) affecting the IBM Maximo MXAPIASSET API in version 7.6.1.3. It enables a remote attacker to access arbitrary files on the underlying system by sending a specially crafted URL request that includes "dot dot" sequences (/../). The vulnerability has a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), indicating medium severity with high confidentiality impact but no integrity or availability disruption.

An authenticated remote attacker with low privileges (PR:L) can exploit this over the network with low attack complexity and no user interaction required. By manipulating URL parameters with path traversal sequences, the attacker can read sensitive files outside the intended directory, potentially exposing configuration data, credentials, or other system information.

IBM has published a security bulletin at https://www.ibm.com/support/pages/node/7174820 providing details on the vulnerability and available patches or remediation steps for affected Maximo deployments.

Details

CWE(s): CWE-22

Affected Products

ibm

maximo asset management

7.6.1.3

CVEs Like This One

CVE-2025-14914Same vendor: Ibm

CVE-2025-3356Same vendor: Ibm

CVE-2025-36236Same vendor: Ibm

CVE-2024-49352Same vendor: Ibm

CVE-2025-36070Same vendor: Ibm

CVE-2023-49886Same vendor: Ibm

CVE-2026-0977Same vendor: Ibm

CVE-2026-1343Same vendor: Ibm

CVE-2023-38010Same vendor: Ibm

CVE-2026-4788Same vendor: Ibm

References

https://www.ibm.com/support/pages/node/7174820
Vendor Advisory · psirt@us.ibm.com