CVE-2024-39747
📋 TL;DR
IBM Sterling Connect:Direct Web Services uses default credentials for critical functionality, allowing attackers to gain unauthorized access. This affects versions 6.0 through 6.3 of the software. Organizations using these versions without changing default credentials are vulnerable.
💻 Affected Systems
- IBM Sterling Connect:Direct Web Services
📦 What is this software?
Sterling Connect Direct Web Services by Ibm
View all CVEs affecting Sterling Connect Direct Web Services →
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Connect:Direct Web Services instance, allowing attackers to execute arbitrary commands, access sensitive data, and potentially pivot to other systems.
Likely Case
Unauthorized access to file transfer functionality, data exfiltration, and potential modification of critical business data.
If Mitigated
Limited impact if proper network segmentation and access controls are in place, though default credentials still pose a risk.
🎯 Exploit Status
Exploitation requires knowledge of default credentials but no authentication bypass needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply interim fix or upgrade to version 6.3.0.5 or later
Vendor Advisory: https://www.ibm.com/support/pages/node/7166947
Restart Required: Yes
Instructions:
1. Download the interim fix from IBM Fix Central. 2. Stop the Connect:Direct Web Services. 3. Apply the fix. 4. Restart the service. 5. Change default credentials immediately.
🔧 Temporary Workarounds
Change Default Credentials
allImmediately change all default passwords and usernames for Connect:Direct Web Services
Use the administrative interface to change credentials
Network Segmentation
allRestrict network access to Connect:Direct Web Services to only trusted sources
Configure firewall rules to limit access
🧯 If You Can't Patch
- Immediately change all default credentials to strong, unique passwords
- Implement strict network access controls and monitor for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check if Connect:Direct Web Services is using default credentials by attempting authentication with known defaultsCheck Version:
Check the version in the administrative console or configuration filesVerify Fix Applied:
Verify that default credentials no longer work and only authorized credentials provide access📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful login with default credentials
- Unusual file transfer activities
Network Indicators:
- Unauthorized access to Connect:Direct Web Services ports
- Suspicious file transfer patterns
SIEM Query:
source="connect_direct_ws" AND (event_type="authentication" AND result="success" AND user="default_user")