Multiple vulnerabilities in IBM Financial Transaction Manager (FTM) for RedHat OpenShift
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2024-55549 CVE-2025-0624 CVE-2025-24855 CVE-2025-30204 CVE-2022-49043 CVE-2024-53150 CVE-2025-29781 |
| CWE-ID | CWE-416 CWE-787 CWE-400 CWE-125 CWE-200 |
| Exploitation vector | Network |
| Public exploit | Vulnerability #6 is being exploited in the wild. |
| Vulnerable software |
Financial Transaction Manager Client/Desktop applications / Other client software |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Use-after-free
EUVDB-ID: #VU105879
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2024-55549
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in xsltGetInheritedNsList. A remote attacker can pass specially crafted input to the application, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsFinancial Transaction Manager: 3.2.13 - 4.0.6.0 iFix4
CPE2.3- cpe:2.3:a:ibm_corporation:financial_transaction_manager:3.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:financial_transaction_manager:3.2.13:iFix1:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:financial_transaction_manager:3.2.13:iFix2:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7235753
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Out-of-bounds write
EUVDB-ID: #VU104080
Risk: Low
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-0624
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the grub_net_search_config_file() function. A local user can trigger an out-of-bounds write and execute arbitrary code on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsFinancial Transaction Manager: 3.2.13 - 4.0.6.0 iFix4
CPE2.3- cpe:2.3:a:ibm_corporation:financial_transaction_manager:3.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:financial_transaction_manager:3.2.13:iFix1:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:financial_transaction_manager:3.2.13:iFix2:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7235753
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Use-after-free
EUVDB-ID: #VU105946
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-24855
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in numbers.c when handling nested XPath evaluations. A remote attacker can pass specially crafted XML input to the application, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsFinancial Transaction Manager: 3.2.13 - 4.0.6.0 iFix4
CPE2.3- cpe:2.3:a:ibm_corporation:financial_transaction_manager:3.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:financial_transaction_manager:3.2.13:iFix1:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:financial_transaction_manager:3.2.13:iFix2:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7235753
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Resource exhaustion
EUVDB-ID: #VU105983
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-30204
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the parse.ParseUnverified function when parsing authorization header. A remote attacker can send a specially crafted HTTP response to the application, trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsFinancial Transaction Manager: 3.2.13 - 4.0.6.0 iFix4
CPE2.3- cpe:2.3:a:ibm_corporation:financial_transaction_manager:3.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:financial_transaction_manager:3.2.13:iFix1:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:financial_transaction_manager:3.2.13:iFix2:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7235753
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Use-after-free
EUVDB-ID: #VU103502
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-49043
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the xmlXIncludeAddNode() function in xinclude.c. A remote attacker can pass specially crafted XML input to the application, trigger a use-after-free error and crash the application or potentially execute arbitrary code.
Install update from vendor's website.
Vulnerable software versionsFinancial Transaction Manager: 3.2.13 - 4.0.6.0 iFix4
CPE2.3- cpe:2.3:a:ibm_corporation:financial_transaction_manager:3.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:financial_transaction_manager:3.2.13:iFix1:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:financial_transaction_manager:3.2.13:iFix2:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7235753
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Out-of-bounds read
EUVDB-ID: #VU101910
Risk: High
CVSSv4.0: 6.8 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]
CVE-ID: CVE-2024-53150
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to an out-of-bounds read error within the DESC_LENGTH_CHECK(), validate_clock_source() and validate_clock_selector() functions in sound/usb/clock.c. A local user can perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsFinancial Transaction Manager: 3.2.13 - 4.0.6.0 iFix4
CPE2.3- cpe:2.3:a:ibm_corporation:financial_transaction_manager:3.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:financial_transaction_manager:3.2.13:iFix1:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:financial_transaction_manager:3.2.13:iFix2:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7235753
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
7) Information disclosure
EUVDB-ID: #VU106015
Risk: Low
CVSSv4.0: 2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-29781
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to the Bare Metal Operator (BMO) can expose any secret from other namespaces via BMCEventSubscription CRD. A local user can gain unauthorized access to sensitive information on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsFinancial Transaction Manager: 3.2.13 - 4.0.6.0 iFix4
CPE2.3- cpe:2.3:a:ibm_corporation:financial_transaction_manager:3.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:financial_transaction_manager:3.2.13:iFix1:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:financial_transaction_manager:3.2.13:iFix2:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7235753
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
