CVE-2020-4428 — IBM Data Risk Manager Remote Code Execution Vulnerability

CVE-2020-4428

IBM Data Risk Manager — OS Command Injection RCE, Chainable from Auth Bypass

What is IBM Data Risk Manager?

IBM Data Risk Manager (IDRM) is an enterprise security and risk management platform that aggregates vulnerability and data classification data from IBM security products (AppScan, QRadar, Guardium) into a unified risk dashboard. It is deployed in large enterprises and government environments. Because IDRM holds a consolidated view of an organization's security weaknesses across its entire toolset, it is a high-value intelligence target for attackers.

Overview

CVE-2020-4428 is an OS command injection vulnerability (CWE-78) in IBM Data Risk Manager that allows an authenticated administrator to execute arbitrary commands on the underlying operating system. In practice, it is almost never exploited in isolation — it is chained with CVE-2020-4427 (authentication bypass) to achieve unauthenticated remote code execution as root. Together, the two CVEs form a complete pre-auth RCE exploit chain.

Both CVEs were discovered by Pedro Ribeiro of Agile Information Security in April 2020 and patched in IDRM v2.0.6.1 on May 7, 2020, after IBM initially declined to fix them.

Affected Versions

Product Vulnerable Fixed
IBM Data Risk Manager 2.0.1 – 2.0.5 2.0.6.1+

Technical Details

IDRM includes administrative functionality that accepts user-supplied input and passes it to underlying shell commands without proper sanitization. The command injection vector is in an administrative API endpoint related to system configuration or health checking. By injecting shell metacharacters (semicolons, backticks, pipe characters) into the affected parameter, an authenticated attacker can execute arbitrary OS commands with the privileges of the IDRM process — which runs as root.

The CVSS score requires high privilege (PR:H) because the injection endpoint is admin-only. However, when chained with CVE-2020-4427 (authentication bypass), the prerequisite is eliminated — the combined exploit is effectively unauthenticated. The scope is "Changed" (S:C) because the attacker escapes the application context and gains OS-level access.

Full exploit chain (as demonstrated by Ribeiro):

  1. CVE-2020-4427: bypass authentication → obtain admin session
  2. CVE-2020-4428: inject OS command via admin endpoint → RCE as root
  3. Impact: full control of the IDRM server and all security data it aggregates

Discovery

Pedro Ribeiro of Agile Information Security discovered this vulnerability as part of a four-CVE chain (CVE-2020-4427 through CVE-2020-4430) in April 2020. IBM initially refused to fix the issues, stating they were out of scope for their bug bounty program. After CERT/CC mediation and public disclosure pressure, IBM patched all four CVEs on May 7, 2020.

Exploitation Context

CISA added CVE-2020-4428 to the KEV catalog on November 3, 2021 as part of the initial KEV launch. The pre-auth RCE chain (4427 + 4428) is particularly dangerous because IDRM deployments contain an aggregated map of an organization's security vulnerabilities — an attacker who compromises IDRM obtains a ready-made intelligence brief for targeting other systems.

Remediation

  1. Upgrade to IDRM v2.0.6.1 or later: Patches both CVE-2020-4427 and CVE-2020-4428.
  2. Restrict network access: IDRM should be isolated on internal management networks — not accessible from the internet or untrusted network segments.
  3. Change default credentials: Change the default a3user/idrm admin credentials immediately (CVE-2020-4429).
  4. Review audit logs: Check IDRM's audit trail for unauthorized API calls or command execution events around the exposure window.

Key Details

PropertyValue
CVE ID CVE-2020-4428
Vendor / Product IBM — Data Risk Manager
NVD Published2020-05-07
NVD Last Modified2025-11-04
CVSS 3.1 Score9.1
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-78 find similar ↗
CISA KEV Added2021-11-03
CISA KEV Deadline2022-05-03
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-05-03. Apply updates per vendor instructions.

Timeline

DateEvent
2020-04-21Pedro Ribeiro (Agile InfoSec) privately discloses to IBM; IBM declines to fix
2020-05-07IBM patches CVE-2020-4428 (and related CVEs) in IDRM v2.0.6.1
2021-11-03Added to CISA Known Exploited Vulnerabilities catalog
2022-05-03CISA BOD 22-01 remediation deadline