Cyber Resilience

CVE-2024-52367

Medium

Published: 07 January 2025

Published
07 January 2025
Modified
18 July 2025
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0014 34.3th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-52367 is a medium-severity Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) vulnerability in Ibm Concert. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique System Information Discovery (T1082); ranked at the 34.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-11 (Error Handling).

Deeper analysis

CVE-2024-52367 affects IBM Concert Software versions 1.0.0, 1.0.1, 1.0.2, 1.0.2.1, and 1.0.3, where the software could disclose sensitive system information to an unauthorized actor. This vulnerability, mapped to CWE-497 (with NVD-CWE-noinfo), carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), reflecting medium severity primarily due to low-impact confidentiality loss.

A remote attacker without privileges or user interaction can exploit this over the network with low attack complexity. Exploitation results in access to sensitive system information, which could facilitate further attacks against the system.

The IBM security advisory provides details on remediation; see https://www.ibm.com/support/pages/node/7180303.

EU & UK References

Vulnerability details

IBM Concert Software 1.0.0, 1.0.1, 1.0.2, 1.0.2.1, and 1.0.3 could disclose sensitive system information to an unauthorized actor that could be used in further attacks against the system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1082 System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
Why these techniques?

Direct info disclosure enables remote System Information Discovery without auth.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-64647Same product: Ibm Concert
CVE-2025-1722Same product: Ibm Concert
CVE-2025-33089Same product: Ibm Concert
CVE-2025-33015Same product: Ibm Concert
CVE-2024-49354Same product: Ibm Concert
CVE-2025-1719Same product: Ibm Concert
CVE-2025-13616Same vendor: Ibm
CVE-2025-13691Same vendor: Ibm
CVE-2023-38716Same vendor: Ibm
CVE-2023-38010Same vendor: Ibm

Affected Assets

ibm
concert
1.0.0, 1.0.1, 1.0.2, 1.0.2.1, 1.0.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Protects sensitive information associated with public-facing systems from unauthorized remote access, directly mitigating the network-accessible disclosure to unauthenticated actors.

prevent

Filters information prior to output to non-privileged users, preventing the unauthorized disclosure of sensitive system information.

prevent

Ensures error messages reveal only non-sensitive information, addressing common vectors for sensitive system data exposure to attackers.

References