details and PoC for 4 unpatched zero-day vulnerabilities affecting
an enterprise security software offered by IBM after the company
refused to acknowledge the responsibly submitted disclosure.
The affected premium product in question is IBM Data Risk
Manager (IDRM) that has been designed to analyze sensitive
business information assets of an organization and determine
associated risks.
According to Pedro
Ribeiro[1] from Agile Information
Security firm, IBM Data Risk Manager contains three critical
severity vulnerabilities and a high impact bug, all listed below,
which can be exploited by an unauthenticated attacker reachable
over the network, and when chained together could also lead to
remote code execution as root.
- Authentication Bypass
- Command Injection
- Insecure Default Password
- Arbitrary File Download
Ribeiro successfully tested the flaws against IBM Data Risk Manager
version 2.0.1 to 2.0.3, which is not the latest version of the
software but believes they also work through 2.0.4 to the newest
version 2.0.6 because “there is no mention of fixed vulnerabilities
in any change log.”
“IDRM is an enterprise security product that handles very
sensitive information. A compromise of such a product might lead to
a full-scale company compromise, as the tool has credentials to
access other security tools, not to mention it contains information
about critical vulnerabilities that affect the company,” Ribeiro
said.
Critical Zero-Day Vulnerabilities in IBM Data Risk Manager
In brief, the authentication bypass flaw exploits a logical error
in the session ID feature to reset the password for any existing
account, including the administrator.
The command injection flaw resides in the way IBM’s enterprise
security software lets users perform network scans using Nmap
scripts, which apparently can be equipped with malicious commands
when supplied by attackers.
According to the vulnerability disclosure, to SSH and run sudo
commands, IDRM virtual appliance also has a built-in administrative
user with username “a3user” and default password of “idrm,” which
if left unchanged, could let remote attackers take complete control
over the targeted systems.
The last vulnerability resides in an API endpoint that allows
authenticated users to download log files from the system. However,
according to the researcher, one of the parameters to this endpoint
suffers from a directory traversal flaw that could let malicious
users download any file from the system.
Besides technical details, the researcher has also released two
Metasploit modules for authentication bypass, remote code
execution[2], and arbitrary file
download[3] issues.
Ribeiro claims to have reported this issue to IBM via CERT/CC
and in response, the company refused to accept the vulnerability
report, saying: ” We have assessed this report and closed as being
out of scope for our vulnerability disclosure program since this
product is only for “enhanced” support paid for by our
customers.”
In response Ribeiro said, “In any case, I did not ask or expect
a bounty since I do not have a HackerOne account and I don’t agree
with HackerOne’s or IBM’s disclosure terms there. I simply wanted
to disclose these to IBM responsibly and let them fix it.”
The Hacker News has reached out to IBM, and we will update the
article as more information becomes available.
References
- ^
Pedro Ribeiro
(github.com) - ^
remote code execution
(github.com) - ^
arbitrary file download
(github.com)
Latest News
- Blasphemy – The Gay Nigerian-British Actress Who Played Jesus Christ — and the Growing Normalisation of Blasphemy in Modern Entertainment January 1, 2026
- Obidient Movement Will Remain In ADC Despite Outcome Of Presidential Primary — Tanko Yunusa January 1, 2026
- Akpabio Withdraws All Defamation Suits After Priest’s New Year Sermon January 1, 2026
