cbcvebase.
CVE-2020-4428
published 2020-05-07

CVE-2020-4428: IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to execute arbitrary commands on the system. IBM X-Force ID…

PriorityP188critical9.1CVSS 3.1
AVNACLPRHUINSCCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
61.69%
99.1th percentile
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to execute arbitrary commands on the system. IBM X-Force ID: 180533.

Affected

7 ranges
VendorProductVersion rangeFixed in
ibmdata_risk_manager
ibmdata_risk_manager
ibmdata_risk_manager
ibmdata_risk_manager
ibmdata_risk_manager
ibmdata_risk_manager
ibmdata_risk_manager2.0.1 – 2.0.4

Detection & IOCsextracted from sources · hover to see the quote

otherusername: a3user
otherpassword: idrm
urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/ssh/ibm_drm_a3user.rb
  • Detect SSH login attempts using the hardcoded default credential pair a3user / idrm against port 22 on IBM Data Risk Manager hosts.
  • Check for successful SSH password authentication (UserAuth includes 'password') followed by a successful login as a3user — this indicates exploitation of the hardcoded credential vulnerability.
  • The full exploit chain is unauthenticated: auth bypass (<=2.0.6.1) → command injection as server user (<=2.0.4) → abuse of insecure default password, resulting in a root shell. Monitor for unexpected outbound connections or shell spawning from the IDRM process.
  • The authentication bypass is effective on IDRM versions <= 2.0.6.1; command injection is effective on versions <= 2.0.4. Prioritize detection on these version ranges.
  • ·CVE-2020-4428 (RCE via command injection) is distinct from CVE-2020-4429 (hardcoded credentials). The Nuclei template and Metasploit SSH module reference CVE-2020-4429 / the a3user:idrm credential pair, but the full exploit chain in ibm_drm_rce.rb chains both CVEs together. Ensure detections are attributed to the correct CVE.
  • ·The hardcoded credential (a3user / idrm) grants an IDRM administrative account with root privileges. Any detection based solely on SSH login success must account for the possibility of legitimate administrative use of this account if the password has not been changed.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
ghsa8.8HIGH
vulncheck9.1CRITICAL
cisa9.1CRITICAL
vendor_redhat7.9HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.