IBM Tivoli Netcool Impact Sensitive Information Leak via Log Files (CVE-2026-4788)

IBM Tivoli Netcool Impact versions 7.1.0.0 through 7.1.0.37 are vulnerable to sensitive information disclosure. Specifically, the application stores sensitive data within its log files. A local attacker with access to the file system where these logs are stored could potentially read this information. This vulnerability is identified as CVE-2026-4788, with a CVSS v3.1 score of 8.4, indicating a high severity. This issue affects organizations utilizing vulnerable versions of IBM Tivoli Netcool Impact, potentially exposing credentials, configuration details, or other sensitive data that could aid in further malicious activities. Defenders need to ensure that proper access controls are in place to protect the log files and consider upgrading to a patched version.

Attack Chain

1. Attacker gains low-privilege local access to a system running a vulnerable IBM Tivoli Netcool Impact instance (versions 7.1.0.0 - 7.1.0.37).
2. Attacker identifies the location of the Tivoli Netcool Impact log files.
3. Attacker uses standard command-line tools (e.g., cat, type, less, more) to read the log files.
4. The attacker searches the log files for sensitive information such as passwords, API keys, or internal network addresses.
5. Attacker leverages the extracted credentials to escalate privileges within the Tivoli Netcool Impact application or the underlying system.
6. Attacker uses internal network addresses to discover and potentially compromise other systems within the network.
7. Attacker uses the compromised systems to move laterally and potentially exfiltrate data.

Impact

Successful exploitation of CVE-2026-4788 can lead to the disclosure of sensitive information stored within IBM Tivoli Netcool Impact log files. This information can include credentials, configuration details, and internal network information. The impact of this vulnerability depends on the sensitivity of the data stored in the logs and the level of access granted to the attacker. If an attacker obtains administrative credentials, they can potentially gain complete control over the Tivoli Netcool Impact instance and potentially other systems within the network.

Recommendation

• Implement strict access control lists (ACLs) on the log directories to restrict access to only authorized personnel (reference: CVE-2026-4788).
• Regularly review and rotate log files to minimize the window of opportunity for attackers (reference: CVE-2026-4788).
• Upgrade IBM Tivoli Netcool Impact to a version beyond 7.1.0.37, where the vulnerability is patched (reference: https://www.ibm.com/support/pages/node/7268267).
• Deploy the Sigma rule below to detect suspicious log file access attempts on systems running IBM Tivoli Netcool Impact.