IBM patches "highly dangerous" Maximo Asset Management flaw
Companies in aerospace, nuclear power and pharmaceutics are vulnerable to server-side request forgery attacks


IBM has patched a dangerous flaw found in its Maximo Asset Management software that could allow hackers to send unauthorised requests from corporate systems to scan networks and launch other attacks.
Dubbed vulnerability CVE-2020-4529, the flaw also affects industry-specific versions of IBM Maximo, for sectors including pharmaceuticals, oil and gas, auto manufacturing, aerospace, railways, airports, utilities, and nuclear power plants. It also affects SmartCloud Control Desk, IBM Control Desk and Tivoli Integration Composer.
Found in versions 7.6.0 and 7.6.1 of IBM Maximum Asset Management, the attack involves server-side request forgery (SSRF), according to Positive Technologies experts Arseny Sharoglazov and Andrey Medov, who discovered the flaw. With a CSS score of 7.3, it’s deemed “highly dangerous”.
SSRF is a web security flaw that allows an attacker to induce a server-side application to make HTTP requests to an arbitrary domain the attacker chooses. A typical attack may cause the server to make a connection back to itself, or to external third-party systems.
IBM Maximo is usually accessible from all of a company’s warehouses, located in multiple regions and countries, with users’ access restricted to only what they need. Large companies use IBM’s computerised maintenance management system (CMMS) to run maintenance and repairs in industries that rely heavily on assets.
The vulnerability, however, allows bypassing of this restriction and could, therefore, be exploited by hackers to potentially access all systems, blueprints, documents and accounting information.
“IBM Maximo Asset Management software is used at major critical facilities,” said Sharoglazov. “Any vulnerabilities in it could attract APT groups interested in access to the internal network.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
“One example of a low-privileged attacker is a warehouse worker, who remotely connects to the system and enters items into a database. A threat could also come from the warehouse worker's workstation itself, if infected by a virus.”
Employees may sometimes connect to IBM Maximo directly over the internet with weak passwords and no VPN, Sharoglazov added, making an attack easier to perform.
This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network reconnaissance or facilitating other attacks.
Customers are urged to immediately update IBM Maximo Asset Management, as well as associated solutions and products, to the latest versions.
The researchers who discovered the flaw have also urged users to deploy a web application firewall to prevent exploitation of web vulnerabilities in general. This is alongside regular penetration testing, and the mandatory use of certificates or a VPN for access to internal systems.

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to know
News Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
By Emma Woollacott
-
Broadcom issues urgent alert over three VMware zero-days
News The firm says it has information to suggest all three are being exploited in the wild
By Solomon Klappholz
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claim
News Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
By Solomon Klappholz
-
Everything you need to know about the Microsoft Power Pages vulnerability
News A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
By Solomon Klappholz
-
Vulnerability management complexity is leaving enterprises at serious risk
News Fragmented data and siloed processes mean remediation is taking too long
By Emma Woollacott
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to know
News Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
By Solomon Klappholz
-
Researchers claim an AMD security flaw could let hackers access encrypted data
News Using only a $10 test rig, researchers were able to pull off the badRAM attack
By Solomon Klappholz
-
Busting nine myths about file-based threats
Whitepaper Distinguish the difference between fact and fiction when it comes to preventing file-based threats
By ITPro