CVE-2020-4463

HIGH EXPLOITED NUCLEI

IBM Maximo Asset Management 7.6.0.1 and 7.6.0.2 - XML External Entity Injection

Title source: llm

Exploitation Summary

CVE-2020-4463 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including Ibonok. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional Python script that exploits CVE-2020-4463, an XXE vulnerability in IBM Maximo Asset Management. The script demonstrates both data leakage via REST API and XXE attacks for file disclosure on Windows and Linux systems.

Description

IBM Maximo Asset Management 7.6.0.1 and 7.6.0.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 181484.

Exploits (1)

nomisec WORKING POC 52 stars

by Ibonok · remote

https://github.com/Ibonok/CVE-2020-4463

View Code ZIP pw:eip

This repository contains a functional Python script that exploits CVE-2020-4463, an XXE vulnerability in IBM Maximo Asset Management. The script demonstrates both data leakage via REST API and XXE attacks for file disclosure on Windows and Linux systems.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: IBM Maximo Asset Management (versions before 7.6.1.2)

No auth needed

Prerequisites: Network access to the IBM Maximo web interface · XML External Entity processing enabled in the target system

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1530 - Data from Cloud Storage

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

IBM Maximo Asset Management Information Disclosure - XML External Entity Injection

HIGHby dwisiswant0

Shodan: http.favicon.hash:-399298961

FOFA: icon_hash=-399298961

References (2)

Core 2

Core References

Patch, Vendor Advisory x_refsource_confirm

https://www.ibm.com/support/pages/node/6253953

VDB Entry, Vendor Advisory vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/181484

Scores

CVSS v3 8.2

EPSS 0.3159

EPSS Percentile 98.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

Details

VulnCheck KEV 2024-01-22

CWE

CWE-611

Status published

Products (2)

ibm/maximo_asset_management 7.6.0.1

ibm/maximo_asset_management 7.6.0.2

Published Jul 29, 2020

Tracked Since Feb 18, 2026