PatchSiren cyber security CVE debrief
CVE-2024-28765 IBM CVE debrief
IBM Security Directory Integrator (SDI) versions 7.2.0.0 through 7.2.0.14 and 10.0.0.0 through 10.0.0.2 return overly verbose technical error messages to browser clients. These messages may expose internal system details—such as stack traces, file paths, or configuration parameters—that an unauthenticated remote attacker could harvest to refine subsequent targeting. The vulnerability is classified as CWE-209: Generation of Error Message Containing Sensitive Information. IBM has released patches; administrators should apply them and configure generic error responses.
- Vendor
- IBM
- Product
- SDI
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations running IBM Security Directory Integrator 7.2.0.0–7.2.0.14 or 10.0.0.0–10.0.0.2, particularly those with externally facing administrative or synchronization interfaces.
Technical summary
Affected IBM SDI versions emit detailed technical error messages to browser clients under fault conditions. The CVSS 3.1 base score of 5.3 (Medium) reflects unauthenticated network access with low attack complexity yielding limited confidentiality impact. Remediation centers on vendor patching and hardening error-response configurations to prevent information leakage usable in follow-on attacks.
Defensive priority
medium
Recommended defensive actions
- Apply IBM-provided patches for SDI 7.2.0.x and 10.0.0.x per vendor security bulletin.
- Configure web-tier error handling to return generic, non-technical messages to end users; log detailed diagnostics server-side only.
- Review application logs for unusual error volume or systematic probing patterns that may indicate reconnaissance activity.
- Validate that load balancers, reverse proxies, or WAFs are not inadvertently caching or forwarding raw backend error responses.
Evidence notes
The vulnerability description and affected versions are drawn from the official CVE record and IBM PSIRT reference. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N confirms network-accessible, low-complexity information disclosure without integrity or availability impact.
Official resources
-
CVE-2024-28765 CVE record
CVE.org
-
CVE-2024-28765 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
IBM disclosed this vulnerability on 27 May 2026. No public exploitation or ransomware campaign linkage has been reported.