CVE-2020-4428
published 2020-05-07CVE-2020-4428: IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to execute arbitrary commands on the system. IBM X-Force ID…
PriorityP188critical9.1CVSS 3.1
AVNACLPRHUINSCCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
61.69%
99.1th percentile
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to execute arbitrary commands on the system. IBM X-Force ID: 180533.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ibm | data_risk_manager | — | — |
| ibm | data_risk_manager | — | — |
| ibm | data_risk_manager | — | — |
| ibm | data_risk_manager | — | — |
| ibm | data_risk_manager | — | — |
| ibm | data_risk_manager | — | — |
| ibm | data_risk_manager | 2.0.1 – 2.0.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
otherusername: a3user
otherpassword: idrm
urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/ssh/ibm_drm_a3user.rb
- →Detect SSH login attempts using the hardcoded default credential pair a3user / idrm against port 22 on IBM Data Risk Manager hosts.
- →Check for successful SSH password authentication (UserAuth includes 'password') followed by a successful login as a3user — this indicates exploitation of the hardcoded credential vulnerability.
- →The full exploit chain is unauthenticated: auth bypass (<=2.0.6.1) → command injection as server user (<=2.0.4) → abuse of insecure default password, resulting in a root shell. Monitor for unexpected outbound connections or shell spawning from the IDRM process. ↗
- →The authentication bypass is effective on IDRM versions <= 2.0.6.1; command injection is effective on versions <= 2.0.4. Prioritize detection on these version ranges. ↗
- ·CVE-2020-4428 (RCE via command injection) is distinct from CVE-2020-4429 (hardcoded credentials). The Nuclei template and Metasploit SSH module reference CVE-2020-4429 / the a3user:idrm credential pair, but the full exploit chain in ibm_drm_rce.rb chains both CVEs together. Ensure detections are attributed to the correct CVE. ↗
- ·The hardcoded credential (a3user / idrm) grants an IDRM administrative account with root privileges. Any detection based solely on SSH login success must account for the possibility of legitimate administrative use of this account if the password has not been changed.
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
ghsa8.8HIGH
vulncheck9.1CRITICAL
cisa9.1CRITICAL
vendor_redhat7.9HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Hibernate Validator may interpolate user-supplied input in a constraint violation message with Expression Language
ghsa·2025-06-03·CVSS 8.8
CVE-2025-35036 [HIGH] CWE-94 Hibernate Validator may interpolate user-supplied input in a constraint violation message with Expression Language
Hibernate Validator may interpolate user-supplied input in a constraint violation message with Expression Language
Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expression Language. This could allow an attacker to access sensitive information or execute arbitrary Java code. Hibernate Validator as of 6.2.0 and 7.0.0 no longer interpolates custom constraint violation messages with Expression Language and strongly recommends not allowing user-supplied input in constraint violation messages. CVE-2020-5245 and CVE-2025-4428 are examples of related, downstream vulnerabilities involving Expression Language intepolation of user-supplied data.
GHSA
GHSA-r3v6-c98w-p4j5: IBM Data Risk Manager 2
ghsa_unreviewed·2022-05-24
CVE-2020-4428 [HIGH] CWE-78 GHSA-r3v6-c98w-p4j5: IBM Data Risk Manager 2
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 could allow a remote authenticated attacker to execute arbitrary commands on the system. IBM X-Force ID: 180533.
VulnCheck
IBM Data Risk Manager Remote Code Execution Vulnerability
vulncheck·2020·CVSS 9.1
CVE-2020-4428 [CRITICAL] CWE-78 IBM Data Risk Manager Remote Code Execution Vulnerability
IBM Data Risk Manager Remote Code Execution Vulnerability
IBM Data Risk Manager contains an unspecified vulnerability which could allow a remote, authenticated attacker to execute commands on the system.�
Affected: IBM Data Risk Manager
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://8813571.fs1.hubspotusercontent-na1.net/hubfs/8813571/PERISCOPE_VULNINTEL_20250812.pdf
Remediation Due: 2022-05-03
Red Hat
hibernate-validator: Hibernate Validator Expression Language Injection
vendor_redhat·2025-06-03·CVSS 7.9
CVE-2025-35036 [HIGH] CWE-94 hibernate-validator: Hibernate Validator Expression Language Injection
hibernate-validator: Hibernate Validator Expression Language Injection
Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expression Language. This could allow an attacker to access sensitive information or execute arbitrary Java code. Hibernate Validator as of 6.2.0 and 7.0.0 no longer interpolates custom constraint violation messages with Expression Language and strongly recommends not allowing user-supplied input in constraint violation messages. CVE-2020-5245 and CVE-2025-4428 are examples of related, downstream vulnerabilities involving Expression Language intepolation of user-supplied data.
A flaw was found in Hibernate Validator. This vulnerability allows unauthorized acces
CISA
IBM Data Risk Manager Remote Code Execution Vulnerability
cisa·2021-11-03·CVSS 9.1
CVE-2020-4428 [CRITICAL] CWE-78 IBM Data Risk Manager Remote Code Execution Vulnerability
Vulnerability: IBM Data Risk Manager Remote Code Execution Vulnerability
Affected: IBM Data Risk Manager
IBM Data Risk Manager contains an unspecified vulnerability which could allow a remote, authenticated attacker to execute commands on the system.�
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-4428
Remediation Due Date: 2022-05-03
No detection rules found.
Nuclei
IBM Data Risk Manager - Hardcoded Credentials
nuclei·CVSS 9.8
CVE-2020-4429 [CRITICAL] IBM Data Risk Manager - Hardcoded Credentials
IBM Data Risk Manager - Hardcoded Credentials
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 contains a default password for an IDRM administrative account. A remote attacker could exploit this vulnerability to login and execute arbitrary code on the system with root privileges. IBM X-Force ID- 180534.
Template:
id: CVE-2020-4429
info:
name: IBM Data Risk Manager - Hardcoded Credentials
author: Kazgangap
severity: critical
description: |
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 contains a default password for an IDRM administrative account. A remote attacker could exploit this vulnerability to login and execute arbitrary code on the system with root privileges. IBM X-Force ID- 180534.
impact: |
Remote attackers can gain root access and exec
Metasploit
IBM Data Risk Manager Unauthenticated Remote Code Execution
metasploit
IBM Data Risk Manager Unauthenticated Remote Code Execution
IBM Data Risk Manager Unauthenticated Remote Code Execution
IBM Data Risk Manager (IDRM) contains three vulnerabilities that can be chained by an unauthenticated attacker to achieve remote code execution as root. The first is an unauthenticated bypass, followed by a command injection as the server user, and finally abuse of an insecure default password. This module exploits all three vulnerabilities, giving the attacker a root shell. At the time of disclosure this was an 0day, but it was later confirmed and patched by IBM. The authentication bypass works on versions <= 2.0.6.1, but the command injection should only work on versions <= 2.0.4 according to IBM.
arXiv
LLM-Assisted Proactive Threat Intelligence for Automated Reasoning
arxiv_fulltext·2025-04-01
LLM-Assisted Proactive Threat Intelligence for Automated Reasoning
LLM-Assisted Proactive Threat Intelligence for Automated Reasoning
Shuva Paul, Member, IEEE,
Farhad Alemi, Student Member, IEEE,
and Richard Macwan, Member, IEEE
Farhad Alemi is a graduate researcher at Arizona State University.
Shuva Paul and Richard Macwan are researchers at the National Renewable Energy Laboratory, Golden, CO
Journal of \ Class Files, Vol. 14, No. 8, August 2015
Shell et al.: Bare Demo of IEEEtran.cls for IEEE Journals
## Abstract
Successful defense against dynamically evolving cyber threats requires advanced and sophisticated techniques. This research presents a novel approach to enhance real-time cybersecurity threat detection and response by integrating large language models (LLMs) and Retrieval-Augmented Generation (RAG) systems with continuous threat intelligen
Bugzilla
CVE-2025-35036 hibernate-validator: Hibernate Validator Expression Language Injection
bugzilla·2025-06-03·CVSS 8.8
CVE-2025-35036 [HIGH] CVE-2025-35036 hibernate-validator: Hibernate Validator Expression Language Injection
CVE-2025-35036 hibernate-validator: Hibernate Validator Expression Language Injection
Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expression Language. This could allow an attacker to access sensitive information or execute arbitrary Java code. Hibernate Validator as of 6.2.0 and 7.0.0 no longer interpolates custom constraint violation messages with Expression Language and strongly recommends not allowing user-supplied input in constraint violation messages. CVE-2020-5245 and CVE-2025-4428 are examples of related, downstream vulnerabilities involving Expression Language intepolation of user-supplied data.
Discussion:
This issue has been addressed in the following products:
https://exchange.xforce.ibmcloud.com/vulnerabilities/180533https://www.ibm.com/support/pages/node/6206875http://seclists.org/fulldisclosure/2024/Nov/0http://seclists.org/fulldisclosure/2024/Nov/1https://exchange.xforce.ibmcloud.com/vulnerabilities/180533https://www.ibm.com/support/pages/node/6206875https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-4428
2020-05-07
Published
2021-11-03
Added to CISA KEV
Exploited in the wild