CVE-2024-56462: IBM QRadar Privilege Escalation Flaw

CVE-2024-56462 Overview

CVE-2024-56462 affects IBM QRadar SIEM versions 7.5.0 through 7.5.0 UP15 Interim Fix 002. The vulnerability allows a privileged user to upload a malicious backup archive. When that archive is restored, the attacker gains access to the underlying operating system. The flaw is categorized under [CWE-530] (Exposure of Backup File to an Unauthorized Control Sphere). IBM has published a support advisory describing the affected releases and remediation paths.

Critical Impact

A privileged QRadar administrator can escalate from application-level access to full operating system access on the appliance by restoring a crafted backup archive.

Affected Products

• IBM QRadar SIEM 7.5.0
• IBM QRadar SIEM 7.5.0 through UP15
• IBM QRadar SIEM 7.5.0 UP15 Interim Fix 002

Discovery Timeline

• 2026-05-27 - CVE-2024-56462 published to NVD
• 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2024-56462

Vulnerability Analysis

The vulnerability resides in QRadar's backup and restore workflow. QRadar allows administrators to export configuration and data into backup archives, then restore those archives to recover state. The restore process does not adequately validate the contents and structure of the archive. An attacker with privileged QRadar access can craft a backup archive containing additional or modified files. When restored, those files are written into locations on the underlying Linux host with elevated privileges. The result is command or file execution outside the bounds of the QRadar application, granting access to the host operating system.

Root Cause

The root cause is improper validation of backup archive contents during restore, mapped to [CWE-530]. QRadar trusts that backup archives produced by the platform are well-formed and benign. An attacker who can place a malicious archive into the restore path subverts that assumption. Because restore operations run with high privilege on the appliance, malicious files inside the archive land in sensitive paths on disk.

Attack Vector

Exploitation requires high privileges on the QRadar console, consistent with the CVSS vector indicating PR:H. The attacker authenticates as a privileged QRadar user, uploads or stages a crafted backup archive, and triggers the restore operation. No user interaction beyond the attacker's own actions is required. The network attack vector reflects that QRadar administrative interfaces are typically reachable over the network. Successful exploitation yields shell-equivalent access to the appliance host, which can be used to read sensitive log data, tamper with detections, pivot into the monitored environment, or persist on the SIEM itself. No public proof-of-concept exploit is currently listed, and the issue is not present in the CISA Known Exploited Vulnerabilities catalog.

No verified exploit code is available. See the IBM Support Page for technical specifics.

Detection Methods for CVE-2024-56462

Indicators of Compromise

• Unexpected backup restore events in QRadar audit logs, especially outside scheduled maintenance windows.
• Backup archives present on the QRadar host that were not generated by the platform's own backup process.
• New or modified files in system directories on the QRadar appliance following a restore operation.
• Unusual outbound network connections or shell processes originating from QRadar service accounts.

Detection Strategies

• Audit QRadar administrator activity for backup uploads and restore actions, correlating user, source IP, and timestamp.
• Monitor file integrity on the QRadar appliance for changes to directories outside expected backup/restore paths.
• Alert on process execution under QRadar service identities that spawn shells, interpreters, or network utilities.
• Review authentication logs for privileged QRadar accounts and flag logins from atypical locations or hours.

Monitoring Recommendations

• Forward QRadar host syslog, audit, and authentication events to an independent log store so a compromised SIEM cannot suppress evidence.
• Track changes to the set of administrator-role accounts and any role assignments granting backup or restore permissions.
• Baseline normal backup file sizes and frequencies; investigate archives that deviate significantly.

How to Mitigate CVE-2024-56462

Immediate Actions Required

• Apply the fix referenced in the IBM Support Page for QRadar 7.5.0.
• Restrict QRadar administrator role membership to the minimum set of operators required.
• Restrict network access to the QRadar console interface using firewall rules or jump-host architectures.
• Review recent backup restore operations and validate that each was authorized and expected.

Patch Information

IBM has published remediation details for affected QRadar 7.5.0 releases through UP15 Interim Fix 002. Refer to the IBM Support Page for the specific interim fix or update level that addresses CVE-2024-56462 and apply it on all QRadar consoles, managed hosts, and high-availability pairs.

Workarounds

• Limit the QRadar Admin role and any custom roles with backup/restore permissions to a small, audited set of accounts.
• Require multi-factor authentication and named-account login for all QRadar administrative access.
• Store and transport backup archives only through trusted, integrity-checked channels until patching is complete.
• Treat the QRadar appliance as a sensitive system and monitor it with an independent endpoint identification capability.

# Configuration example
# Review QRadar privileged users and recent restore activity
# (run with appropriate administrative authorization)
grep -Ei 'restore|backup' /var/log/audit/audit.log
grep -Ei 'restore|backup' /var/log/qradar.log
# Restrict network access to the QRadar console (example iptables rule)
iptables -A INPUT -p tcp --dport 443 -s <trusted_admin_subnet> -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP