CVE-2024-25034: 
IBM Planning Analytics vulnerability analysis and mitigation

IBM Planning Analytics versions 2.0 and 2.1 contain a vulnerability related to malicious file upload in the File Manager T1 process. The vulnerability, identified as CVE-2024-25034, was disclosed on January 24, 2025, and allows attackers to upload malicious executable files into the system that can be used for further attacks (NVD, IBM Advisory).

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). It has received a CVSS v3.1 base score of 8.8 HIGH (NIST) and 8.0 HIGH (IBM), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating a high-severity issue with network accessibility, low attack complexity, and requiring user interaction (NVD).

The vulnerability allows attackers to upload malicious executable files into the system. These files can then be sent to victims to perform further attacks, potentially compromising system security and enabling additional malicious activities (IBM Advisory).

IBM has released security updates to address this vulnerability. For IBM Planning Analytics Local 2.1, users should upgrade to version 2.1.6 available from Fix Central. For version 2.0, users should download IBM Planning Analytics Local v2.0: Planning Analytics Workspace Release 99 from Fix Central. IBM Planning Analytics Workspace cloud environments have already been remediated (IBM Advisory).