CVE-2020-4429

CVSS 10 CRITICALEPSS 71.4%

In short

IBM Data Risk Manager comes with a built-in default password for an administrative account that is never changed. An attacker can use this password to log in remotely and gain complete control of the system, including the ability to run malicious code with the highest privileges.

Technical detail

A hardcoded default credential exists for an IDRM administrative account across versions 2.0.1–2.0.6, allowing remote unauthenticated access. An attacker can authenticate and achieve arbitrary code execution with root privileges, leading to complete system compromise.

Summary generated and translated by AI from the official description.

IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 contains a default password for an IDRM administrative account. A remote attacker could exploit this vulnerability to login and execute arbitrary code on the system with root privileges. IBM X-Force ID: 180534.

CVSS:3.0/S:C/AV:N/A:H/AC:L/PR:N/C:H/I:H/UI:N/RC:C/RL:O/E:U

Affected products

IBM · Data Risk Manager

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://seclists.org/fulldisclosure/2024/Nov/0 http://seclists.org/fulldisclosure/2024/Nov/1 https://exchange.xforce.ibmcloud.com/vulnerabilities/180534 https://www.ibm.com/support/pages/node/6206875