Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
IBM Controller 11.0.1, 11.1.0, 11.1.1, and 11.1.2 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
AnalysisAI
Hard-coded credentials in IBM Controller (versions 11.0.1, 11.1.0, 11.1.1, and 11.1.2) give attackers a static, embedded secret - a password or cryptographic key - that the product uses for inbound authentication, outbound communication, or encryption of internal data. Because the credential is the same across every deployment, an attacker who already holds low-level access (CVSS PR:L) can leverage it to gain full confidentiality, integrity, and availability impact (C:H/I:H/A:H) over the network. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Technical ContextAI
IBM Controller (IBM Cognos Controller) is an enterprise financial consolidation, close, and reporting application typically deployed inside corporate finance environments and integrated with databases and external reporting components. The root cause is CWE-798 (Use of Hard-coded Credentials): a secret value is compiled into or shipped with the product rather than generated per-installation, so it is identical for all customers and recoverable by anyone who can inspect the binaries, configuration, or traffic. Per the vendor description the credential is used for one or more of inbound authentication, outbound communication to external components, or encryption of internal data - meaning the same flaw could enable impersonation of a trusted account, interception/spoofing of component-to-component traffic, or decryption of data protected by a known key. No CPE strings were supplied beyond the version identifiers, so exact platform/edition scoping should be confirmed against the IBM advisory.
RemediationAI
Apply the fix described in the IBM Support advisory at https://www.ibm.com/support/pages/node/7273004; a patch is available per vendor advisory, but the exact fixed version/build is not stated in the data provided here and must be taken directly from that advisory rather than assumed. Because the credential is static and shared, simply patching may not be sufficient if the secret was already exposed - after upgrading, rotate or revoke any credentials, keys, or service accounts associated with Controller's inbound authentication and outbound integrations where the product supports it. As compensating controls until patched: restrict network access to the Controller server and its component/database listeners to only trusted finance hosts via firewall/segmentation (trade-off: may break legitimate integrations that must be re-permitted), and increase monitoring/logging of authentication and inter-component traffic to detect use of the embedded account (trade-off: detective only, does not prevent abuse). Confirm the precise fixed build with IBM before deploying.
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32423
GHSA-ww96-hf4g-fqcq