Share
Craig Colangelo, May 05, 2025
Get the Best Solution for
Your Business Today!
IBM recently flagged two critical vulnerabilities in Cognos Analytics that are worth your attention. One involves a malicious file upload (CVE-2024-40695), where a privileged user could slip in a harmful file that the system might automatically process – no extra steps needed. The other is an expression language (EL) injection issue (CVE-2024-51466), which could let a remote attacker dig into sensitive data or tie up system resources. If you’re running Cognos Analytics, it’s a good time to double-check your version and make sure you’re covered with the latest patches from IBM.
Here are the CVSS base score issues on IBM’s radar that were addressed with interim fix 1 for 12.0.4 and Fix Pack 5 for 11.2.4:
- 9 CVSS base score: CVE-2024-51466 – IBM Cognos Analytics Expression Language (EL) Injection vulnerability.
- 8 CVSS base score: CVE-2024-40695 – IBM Cognos Analytics vulnerable to malicious file upload
You should review the complete list on the security bulletin and assess each risk individually for your own environments. Some may be more critical in terms of possible consequences or more probable to be exploited depending on your particular situation. Remember, upgrading isn’t just for new features.
Below are a few helpful resources to better understand security risks, help manage concerns, and address issues…
- Check out IBM’s PSIRT / Security Vulnerability Management site, where you can subscribe to applicable security bulletins and ongoing updates
- Check out the current security bulletin issued April 2025
- Check out IBM’s fix site, Fix Central
PMsquare will continue to monitor ongoing vulnerabilities identified and will update our blog as conditions invariably change. Get ready for some upgrading! Or…better yet…have PMsquare do it for you.
