Skip to content
Threat Feed
critical advisory

CVE-2026-3660: IBM Engineering Lifecycle Management Unauthenticated Remote Access

IBM Engineering Lifecycle Management versions 7.0.3 through Interim Fix 021, 7.1.0 through Interim Fix 009, and 7.2.0 through Interim Fix 001 are vulnerable to an unauthenticated remote attacker who can update server property files, leading to unauthorized access to the application.

IBM Engineering Lifecycle Management (ELM) is affected by a critical vulnerability (CVE-2026-3660) that allows an unauthenticated remote attacker to compromise the application. The vulnerability exists in versions 7.0.3 up to Interim Fix 021, 7.1.0 up to Interim Fix 009, and 7.2.0 up to Interim Fix 001. An attacker can exploit this flaw by updating server property files, which can lead to unauthorized access to the application and potential complete system compromise. This vulnerability poses a significant risk to organizations using the affected versions of IBM ELM, as it could allow attackers to bypass authentication mechanisms and gain complete control over the application.

Attack Chain

  1. The attacker identifies a vulnerable IBM Engineering Lifecycle Management server exposed to the internet.
  2. The attacker crafts a malicious request to update server property files. This request does not require authentication.
  3. The server processes the malicious request without proper authorization checks, allowing the attacker to modify critical server configuration files.
  4. The attacker modifies server property files to create a new administrative user or elevate privileges of an existing user.
  5. The attacker uses the newly created or elevated administrative credentials to log in to the IBM ELM application.
  6. The attacker gains unauthorized access to sensitive data and functionalities within the IBM ELM application.
  7. The attacker leverages the compromised application to move laterally within the network.
  8. The attacker achieves persistence within the environment and exfiltrates sensitive data.

Impact

Successful exploitation of CVE-2026-3660 can lead to complete compromise of the IBM Engineering Lifecycle Management application and potentially the entire server infrastructure. An attacker can gain unauthorized access to sensitive data, modify critical system configurations, and disrupt business operations. Given the severity of the vulnerability (CVSS 9.8) and the potential for remote, unauthenticated exploitation, organizations using the affected versions of IBM ELM are at high risk of a security breach.

Recommendation

  • Apply the security updates provided by IBM to address CVE-2026-3660 immediately. Refer to https://www.ibm.com/support/pages/node/7274079 for the appropriate fix for your version of IBM Engineering Lifecycle Management.
  • Implement network segmentation to limit the exposure of IBM ELM servers to the internet.
  • Monitor web server logs for suspicious activity, such as unauthorized attempts to modify server property files. Use the Sigma rule “Detect CVE-2026-3660 Exploitation Attempt via Property File Modification” to identify potential exploitation attempts.
  • Enforce strong password policies and multi-factor authentication for all user accounts to mitigate the risk of credential compromise.

Detection coverage 2

Detect CVE-2026-3660 Exploitation Attempt via Property File Modification

critical

Detects CVE-2026-3660 exploitation attempt — An unauthenticated attacker attempts to modify server property files to gain unauthorized access to IBM Engineering Lifecycle Management.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detect Suspicious Property File Modification via Web Server

high

Detects suspicious modification of property files by an unauthenticated attacker via webserver logs which can lead to privilege escalation.

sigma tactics: persistence, privilege_escalation techniques: T1547.001 sources: webserver

Detection queries are available on the platform. Get full rules →