CVE-2025-12708

| EUVD-2025-209008 MEDIUM
2026-03-25 ibm GHSA-j796-6jhh-59m4
6.2
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 25, 2026 - 20:17 euvd
EUVD-2025-209008
Analysis Generated
Mar 25, 2026 - 20:17 vuln.today
Patch Released
Mar 25, 2026 - 20:17 nvd
Patch available
CVE Published
Mar 25, 2026 - 20:04 nvd
MEDIUM 6.2

Tags

IBM Authentication Bypass

Description

IBM Concert 1.0.0 through 2.2.0 contains hard-coded credentials that could be obtained by a local user.

Analysis

IBM Concert versions 1.0.0 through 2.2.0 contain hard-coded credentials accessible to local users, enabling unauthorized authentication bypass and potential privilege escalation. An attacker with local access can extract these credentials to gain unauthorized system access without requiring network connectivity or user interaction. This vulnerability is classified as moderate severity (CVSS 6.2) with high confidentiality impact but no direct integrity or availability impact.

Technical Context

The vulnerability is rooted in CWE-798 (Use of Hard-Coded Credentials), a critical authentication control weakness where sensitive credentials are embedded directly in application code, configuration files, or binaries rather than being dynamically managed through secure credential stores. IBM Concert (cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*) fails to implement secure credential management practices across versions 1.0.0 through 2.2.0. Hard-coded credentials are particularly dangerous because they cannot be rotated post-deployment, cannot be individualized per installation, and become permanent security liabilities if the code is decompiled or configuration files are inspected. This weakness directly undermines the authentication mechanism that should verify user identity before granting system access.

Affected Products

IBM Concert versions 1.0.0 through 2.2.0 are affected, as confirmed by the CPE designation cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*. Users should verify their installed version against the affected range and consult IBM's official security advisory at https://www.ibm.com/support/pages/node/7267105 for version-specific impact confirmation and patch details.

Remediation

Immediately upgrade IBM Concert to version 2.3.0 or later, which contains the fix for hard-coded credentials (refer to vendor advisory at https://www.ibm.com/support/pages/node/7267105 for precise patching procedures). If immediate patching is not feasible, implement compensating controls: restrict local file system access to Concert installations using operating-system-level access controls (e.g., file permissions, SELinux, AppArmor) to limit exposure to local users; audit and rotate any credentials that may have been obtained from hard-coded sources; and monitor authentication logs for unauthorized access attempts. For environments where Concert must remain unpatched temporarily, isolate affected systems from untrusted users and conduct a thorough security review of any local accounts with potential access.

Priority Score

31
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +31
POC: 0

Share

CVE-2025-12708 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy