Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

IBM Fixes Remote Code Execution Vulnerability in Endpoint Manager

IBM has released a software update for the company’s Endpoint Manager solution to address a vulnerability that can be leveraged by a remote, unauthenticated attacker to execute arbitrary code.

IBM has released a software update for the company’s Endpoint Manager solution to address a vulnerability that can be leveraged by a remote, unauthenticated attacker to execute arbitrary code.

According to IBM, the vulnerability (CVE-2014-6140) affects the Self-Service Portal, Trusted Service Provider, iOS Management Extender, and Admin Portal components of IBM Endpoint Manager for Mobile Devices.

“IBM Tivoli Endpoint Manager Mobile Device Management (MDM) is vulnerable to cross-site scripting, caused by improper validation of user-supplied input,” IBM said in its advisory. “A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s web browser within the security context of the hosting web site, after the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials and execute arbitrary code.”

CVE-2014-6140The security hole has been addressed with the release of version 9.0.60100. All previous versions are affected.

The flaw was reported to IBM by researchers of the Germany-based company RedTeam Pentesting in mid-August. IBM initially planned on releasing a fix in the last week of November, but the update was delayed due to some issues uncovered during quality control testing.

“During a penetration test, RedTeam Pentesting discovered that several IBM Endpoint Manager Components are based on Ruby on Rails and use static secret_token values. With these values, attackers can create valid session cookies containing marshalled objects of their choosing. This can be leveraged to execute arbitrary code when the Ruby on Rails application unmarshals the cookie,” RedTeam Pentesting said in its own advisory, which contains technical details and a proof-of-concept.

“The vulnerability allows unauthenticated remote attackers to execute arbitrary code with administrative privileges on the affected systems. It is highly likely that a successful attack on the application server can also be leveraged into a full compromise of all devices managed through the product. This constitutes a high risk,” the penetration testing firm noted.

IBM says there are no known workarounds or mitigations for this vulnerability. The researchers believe there might be a workaround, but they haven’t tested it.

IBM Endpoint Manager is not affected by the recently disclosed GNU Bash vulnerability known as ShellShock, but many other IBM products are. The company has published tens of advisories for the impacted solutions since September 27.


Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet