CVE-2024-51476
Published: 06 March 2025
Description
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
Security Summary
CVE-2024-51476 is a vulnerability in IBM Concert Software version 1.0.5 stemming from an inadequate account lockout setting. This flaw, classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts), enables brute force attacks against account credentials. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting its high severity due to network accessibility, low attack complexity, and significant confidentiality impact.
A remote attacker requires no privileges or user interaction to exploit this vulnerability over the network. By repeatedly attempting authentication without effective lockout enforcement, the attacker can brute force credentials, potentially gaining unauthorized access to accounts and exposing sensitive data, consistent with the high confidentiality impact.
IBM provides details on the vulnerability, including mitigation recommendations, in their security advisory at https://www.ibm.com/support/pages/node/7184961.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Inadequate account lockout directly enables online brute force via repeated authentication attempts (T1110 Brute Force, specifically T1110.001 Password Guessing) to obtain valid credentials.