CVE-2025-33004 is a path traversal vulnerability identified in IBM Planning Analytics Local versions 2.0 and 2.1. This vulnerability arises from improper limitation of a pathname to a restricted directory (CWE-22), allowing a privileged user to delete files outside the intended directory scope. Specifically, the flaw permits the traversal of directory paths beyond the designated restricted directories, enabling unauthorized deletion of files elsewhere on the system. The vulnerability requires a privileged user context (high privileges) but does not require user interaction. The CVSS 3.1 base score is 6.5, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), and the impact affects integrity and availability (I:H, A:H) but not confidentiality. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability could be exploited by an attacker who has already gained privileged access to the system, potentially leading to significant disruption by deleting critical files, impacting the integrity and availability of the IBM Planning Analytics Local environment and possibly other system components if the traversal allows access to broader file system areas.

For European organizations using IBM Planning Analytics Local 2.0 or 2.1, this vulnerability poses a risk primarily to the integrity and availability of their analytics and planning data environments. Since the vulnerability requires privileged access, the initial compromise vector might be through insider threats or escalation of privileges after an initial breach. Successful exploitation could lead to deletion of critical files, causing service disruptions, data loss, and operational downtime. This could affect financial planning, forecasting, and decision-making processes that rely on IBM Planning Analytics, potentially leading to business continuity issues and regulatory compliance challenges, especially under GDPR where data integrity and availability are important. The impact is more severe in environments where backups are insufficient or recovery processes are slow. Additionally, disruption in analytics services could indirectly affect reporting obligations and operational transparency required in regulated sectors such as finance and manufacturing prevalent in Europe.

1. Restrict privileged access strictly to trusted administrators and monitor privileged user activities closely to prevent misuse. 2. Apply the latest IBM security updates and patches as soon as they become available for Planning Analytics Local to address this vulnerability. 3. Implement robust file system permissions and access controls to limit the scope of file deletions even for privileged users. 4. Employ application-layer monitoring and anomaly detection to identify unusual file deletion patterns or unauthorized directory traversals. 5. Maintain regular, tested backups of critical Planning Analytics data and system files to enable rapid recovery in case of file deletion. 6. Use network segmentation and isolation for systems running IBM Planning Analytics Local to reduce exposure to potential attackers. 7. Conduct periodic security audits and vulnerability assessments focusing on privilege escalation and path traversal risks within the environment.