Rapid7 Vulnerability & Exploit Database

IBM TM1 / Planning Analytics Unauthenticated Remote Code Execution

Back to Search

IBM TM1 / Planning Analytics Unauthenticated Remote Code Execution



This module exploits a vulnerability in IBM TM1 / Planning Analytics that allows an unauthenticated attacker to perform a configuration overwrite. It starts by querying the Admin server for the available applications, picks one, and then exploits it. You can also provide an application name to bypass this step, and exploit the application directly. The configuration overwrite is used to change an application server authentication method to "CAM", a proprietary IBM auth method, which is simulated by the exploit. The exploit then performs a fake authentication as admin, and finally abuses TM1 scripting to perform a command injection as root or SYSTEM. Testing was done on IBM PA 2.0.6 and IBM TM1 10.2.2 on Windows and Linux. Versions up to and including PA 2.0.8 are vulnerable. It is likely that versions earlier than TM1 10.2.2 are also vulnerable (10.2.2 was released in 2014).


  • Pedro Ribeiro <pedrib@gmail.com>
  • Gareth Batchelor <gbatchelor@cloudtrace.com.au>


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/multi/misc/ibm_tm1_unauth_rce
msf exploit(ibm_tm1_unauth_rce) > show targets
msf exploit(ibm_tm1_unauth_rce) > set TARGET < target-id >
msf exploit(ibm_tm1_unauth_rce) > show options
    ...show and set options...
msf exploit(ibm_tm1_unauth_rce) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security