cbcvebase.
CVE-2020-4429
published 2020-05-07

CVE-2020-4429: IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 contains a default password for an IDRM administrative account. A remote attacker could…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
71.36%
99.3th percentile
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 contains a default password for an IDRM administrative account. A remote attacker could exploit this vulnerability to login and execute arbitrary code on the system with root privileges. IBM X-Force ID: 180534.

Affected

6 ranges
VendorProductVersion rangeFixed in
ibmdata_risk_manager
ibmdata_risk_manager
ibmdata_risk_manager
ibmdata_risk_manager
ibmdata_risk_manager
ibmdata_risk_manager

Detection & IOCsextracted from sources · hover to see the quote

otherusername: a3user, password: idrm
port22 (SSH)
pathTomcat application.properties
  • Detect SSH login attempts using the hardcoded credential pair a3user/idrm against IBM Data Risk Manager appliances on port 22.
  • Monitor for successful SSH authentication by the 'a3user' account on IDRM appliances, especially followed by sudo/root escalation activity.
  • Detect exploitation chains involving unauthenticated bypass + command injection + default credential abuse targeting IDRM HTTP endpoints, as all three are chained for unauthenticated RCE as root.
  • Alert on unauthenticated HTTP requests exhibiting path traversal patterns against IDRM (versions 2.0.2–2.0.4), particularly those resulting in download of application.properties or other sensitive files.
  • ·The authentication bypass (unauthenticated) works on a broader version range than the command injection component; scope detection rules accordingly.
  • ·The arbitrary file download vulnerability (path traversal) affects versions 2.0.2–2.0.4 only; version 2.0.1 is not vulnerable to this specific vector.
  • ·The default SSH credential (a3user/idrm) vulnerability is confirmed across all listed versions up to and including 2.0.6.1.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.