CVE-2015-0104

HIGH

IBM Maximo and Tivoli Asset Management - Authenticated Remote Code Execution

Title source: manual

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-0104.

AI-analyzed exploit summary This exploit leverages a path traversal vulnerability in IBM Tivoli Service Automation Manager to upload a malicious JSP payload via a crafted SOAP request, achieving remote code execution. The payload is injected into the SOAP request's CDATA section and executed when the report is processed.

Description

IBM Tivoli IT Asset Management for IT, Tivoli Service Request Manager, and Change and Configuration Management Database 7.1 through 7.1.1.8 and 7.2 and Maximo Asset Management and Maximo Industry Solutions 7.1 through 7.1.1.8, 7.5 before 7.5.0.7 IFIX003, and 7.6 before 7.6.0.0 IFIX002 allow remote authenticated users to execute arbitrary code via unspecified vectors.

Exploits (1)

exploitdb WORKING POC

webappsjsp

https://www.exploit-db.com/exploits/36002

View Code ZIP pw:eip

This exploit leverages a path traversal vulnerability in IBM Tivoli Service Automation Manager to upload a malicious JSP payload via a crafted SOAP request, achieving remote code execution. The payload is injected into the SOAP request's CDATA section and executed when the report is processed.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: IBM Tivoli Service Automation Manager up to 7.2.4

Auth required

Prerequisites: Valid session ID · Access to a valid report and appname · Ability to intercept and modify SOAP requests

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/97999

Patch, Vendor Advisory x_refsource_confirm

http://www-01.ibm.com/support/docview.wss?uid=swg21694974

Scores

CVSS v3 8.8

EPSS 0.0685

EPSS Percentile 93.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-284

Status published

Products (21)

ibm/change_and_configuration_management_database 7.1

ibm/change_and_configuration_management_database 7.2

ibm/maximo_asset_management 7.1

ibm/maximo_asset_management 7.1.1

ibm/maximo_asset_management 7.1.1.1

ibm/maximo_asset_management 7.1.1.2

ibm/maximo_asset_management 7.1.1.5

ibm/maximo_asset_management 7.1.1.6

ibm/maximo_asset_management 7.1.1.7

ibm/maximo_asset_management 7.1.1.8

... and 11 more

Published Apr 24, 2017

Tracked Since Feb 18, 2026