CVE-2020-4427

CRITICAL KEV NUCLEI

IBM Data Risk Manager 2.0.1-2.0.6 - Authentication Bypass via SAML Misconfiguration

Title source: llm

Exploitation Summary

CVE-2020-4427 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 2 public exploits, including a Metasploit module exploits/linux/http/ibm_drm_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits a chain of vulnerabilities in IBM Data Risk Manager (CVE-2020-4427, CVE-2020-4428, CVE-2020-4429) to achieve unauthenticated remote code execution as root. It bypasses authentication, injects commands, and abuses an insecure default password.

Description

IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to bypass the authentication process and gain full administrative access to the system. IBM X-Force ID: 180532.

Exploits (2)

metasploit WORKING POC EXCELLENT

rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/ibm_drm_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits a chain of vulnerabilities in IBM Data Risk Manager (CVE-2020-4427, CVE-2020-4428, CVE-2020-4429) to achieve unauthenticated remote code execution as root. It bypasses authentication, injects commands, and abuses an insecure default password.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: IBM Data Risk Manager <= 2.0.4

No auth needed

Prerequisites: Network access to the target · SSL/TLS enabled on port 8443

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 22, 2026 Full analysis →

metasploit WORKING POC

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/ibm_drm_download.rb

View Code ZIP pw:eip

This Metasploit module exploits an authentication bypass (CVE-2020-4427) and path traversal vulnerability in IBM Data Risk Manager to download arbitrary files. It chains multiple steps to obtain admin credentials and fetch sensitive files like application.properties.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: IBM Data Risk Manager 2.0.2 to 2.0.4

No auth needed

Prerequisites: Network access to the target server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1083 - File and Directory Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

IBM Data Risk Manager - Authentication Bypass via SAML

CRITICALby ritikchaddha

Shodan: title:"IBM Data Risk Manager"

References (5)

Core 5

Core References

Patch, Vendor Advisory x_refsource_confirm

https://www.ibm.com/support/pages/node/6206875

VDB Entry, Vendor Advisory vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/180532

Mailing List, Third Party Advisory

http://seclists.org/fulldisclosure/2024/Nov/0

Mailing List, Third Party Advisory

http://seclists.org/fulldisclosure/2024/Nov/1

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-4427

Scores

CVSS v3 9.8

EPSS 0.9274

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2021-11-03

VulnCheck KEV 2021-11-03

InTheWild.io 2021-07-23

ENISA EUVD EUVD-2020-25674

CWE

CWE-287

Status published

Products (1)

ibm/data_risk_manager 2.0.1 - 2.0.6.1

Published May 07, 2020

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026