IBM has urgently patched two high-severity vulnerabilities in its widely used business intelligence platform, Cognos Analytics, which could enable remote attackers to steal sensitive data, crash servers, or upload malicious files.
Tracked as CVE-2024-51466 (CVSS 9.0) and CVE-2024-40695 (CVSS 8.0), these flaws affect versions 11.2.0–11.2.4 FP4 and 12.0.0–12.0.4 of the software.
Vulnerability Breakdown
1. Expression Language Injection (CVE-2024-51466)
- Risk Level: Critical (CVSS 9.0)
- Technical Details:
- Arises from improper neutralization of Expression Language (EL) statements (CWE-917), allowing attackers to inject malicious code via crafted EL expressions.
- Exploitation enables unauthorized access to sensitive data, memory exhaustion attacks, and server crashes.
- Attack Vector: Remote, unauthenticated attackers can trigger this vulnerability without user interaction.
2. Malicious File Upload (CVE-2024-40695)
- Risk Level: High (CVSS 8.0)
- Technical Details:
- Caused by insufficient validation of file uploads (CWE-434), permitting privileged users to upload executable malware.
- Uploaded files are automatically processed, enabling further attacks such as code execution or phishing campaigns.
- Attack Vector: Requires authenticated access, limiting exploitability to insider threats or compromised accounts.
Affected Products and Remediation
| Product Version | Fixed Version |
|---|---|
| IBM Cognos Analytics 12.0.0–12.0.4 | 12.0.4 Interim Fix 1 |
| IBM Cognos Analytics 11.2.0–11.2.4 FP4 | 11.2.4 FP5 |
IBM has not provided workarounds, urging immediate upgrades to mitigate risks.
Risk Factor Comparison
| CVE ID | CVSS Score | Vector | Impact |
|---|---|---|---|
| CVE-2024-51466 | 9.0 (Critical) | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H | Data exposure, resource exhaustion, DoS |
| CVE-2024-40695 | 8.0 (High) | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H | Malware execution, system compromise |
Exploitability and Mitigation Challenges
- CVE-2024-51466: Classified as a network-based attack with low complexity, this flaw allows unauthenticated exploitation, making it a prime target for ransomware groups.
- Security firm Tenable has released a detection plugin (Nessus ID: 213474) to identify vulnerable instances.
- CVE-2024-40695: While requiring user interaction and privileged access, successful exploitation could lead to lateral movement within enterprise networks.
Industry Response and Recommendations
- Researcher Credit: CVE-2024-51466 was reported by Vivek Singh of eClinicalWorks’ Application Security Team.
- Advisory: Organizations must prioritize patching, as both vulnerabilities are actively scannable and lack mitigations.
IBM emphasizes that delays in applying updates could result in “catastrophic data breaches,” given Cognos Analytics’ role in handling sensitive business intelligence.
Administrators are advised to audit user privileges and monitor for anomalous file uploads or EL statement executions.
These vulnerabilities underscore the persistent risks in enterprise software ecosystems.
With IBM Cognos Analytics integral to global decision-making workflows, prompt action is critical to prevent operational disruption and data theft.
Organizations running affected versions should treat this as a top-priority remediation effort.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=Tracked as CVE-2024-51466 (CVSS 9.0) and CVE-2024-40695 (CVSS 8.0), these flaws affect versions 11.2.0–11.2.4 FP4 and 12.0.0–12.0.4 of the software.){kind=link}