Login Sign Up

CVE-2020-4622

7.5 HIGH

📋 TL;DR

IBM Data Risk Manager (iDNA) 2.0.6 contains hard-coded credentials that can be used for authentication, communication, or data encryption. This allows attackers to bypass security controls and potentially gain unauthorized access to the system. Organizations running IBM Data Risk Manager 2.0.6 are affected.

💻 Affected Systems

Products:
  • IBM Data Risk Manager (iDNA)
Versions: 2.0.6
Operating Systems: Not OS-specific
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of version 2.0.6 are vulnerable due to hard-coded credentials in the software.

📦 What is this software?

Data Risk Manager by Ibm

View all CVEs affecting Data Risk Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to access sensitive risk management data, modify configurations, and potentially pivot to other systems in the network.

🟠

Likely Case

Unauthorized access to the Data Risk Manager application, allowing viewing of sensitive risk assessment data and potential configuration changes.

🟢

If Mitigated

Limited impact if system is isolated, properly segmented, and access controls prevent exploitation of the hard-coded credentials.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Hard-coded credentials typically require minimal technical skill to exploit once discovered.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.6.1

Vendor Advisory: https://www.ibm.com/support/pages/node/6335281

Restart Required: Yes

Instructions:

1. Download IBM Data Risk Manager 2.0.6.1 from IBM Fix Central. 2. Backup current configuration and data. 3. Apply the update following IBM's installation guide. 4. Restart the application services.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate IBM Data Risk Manager from untrusted networks and limit access to authorized users only.

Access Control Restrictions

all

Implement strict firewall rules and network access controls to limit who can reach the Data Risk Manager interface.

🧯 If You Can't Patch

  • Remove internet-facing access and place behind strict network segmentation
  • Implement additional authentication layers and monitor for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check the IBM Data Risk Manager version in the administration interface or configuration files. If version is 2.0.6, the system is vulnerable.

Check Version:

Check the application's admin interface or refer to installation documentation for version verification methods.

Verify Fix Applied:

Verify the version has been updated to 2.0.6.1 in the administration interface and test that the hard-coded credentials no longer work.

📡 Detection & Monitoring

Log Indicators:

  • Failed authentication attempts followed by successful authentication using hard-coded credentials
  • Unusual access patterns to the Data Risk Manager application

Network Indicators:

  • Unauthorized access attempts to Data Risk Manager endpoints
  • Traffic patterns indicating credential testing

SIEM Query:

source="ibm_drm" AND (event_type="authentication" AND result="success") AND user="hardcoded_user"

📊 Metadata

CVE ID: CVE-2020-4622
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-798
Published: September 22, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-4622, you might also want to check these:

CVE-2025-20188 10.0

This critical vulnerability in Cisco IOS XE Wireless LAN Controllers allows unauthenticated remote a...

Same vulnerability type (CWE-798)
CVE-2026-22769 10.0

Dell RecoverPoint for Virtual Machines versions before 6.0.3.1 HF1 contain hardcoded credentials tha...

Same vulnerability type (CWE-798)
CVE-2021-0248 10.0

This vulnerability involves hard-coded credentials in Juniper Junos OS on NFX Series devices, allowi...

Same vulnerability type (CWE-798)