Skip to main content

IBM CVE-2025-12708

| EUVD-2025-209008 MEDIUM
Use of Hard-coded Credentials (CWE-798)
2026-03-25 ibm GHSA-j796-6jhh-59m4
Authentication Bypass IBM
6.2
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 25, 2026 - 20:17 euvd
EUVD-2025-209008
Analysis Generated
Mar 25, 2026 - 20:17 vuln.today
Patch released
Mar 25, 2026 - 20:17 nvd
Patch available
CVE Published
Mar 25, 2026 - 20:04 nvd
MEDIUM 6.2

DescriptionNVD

IBM Concert 1.0.0 through 2.2.0 contains hard-coded credentials that could be obtained by a local user.

AnalysisAI

IBM Concert versions 1.0.0 through 2.2.0 contain hard-coded credentials accessible to local users, enabling unauthorized authentication bypass and potential privilege escalation. An attacker with local access can extract these credentials to gain unauthorized system access without requiring network connectivity or user interaction. This vulnerability is classified as moderate severity (CVSS 6.2) with high confidentiality impact but no direct integrity or availability impact.

Technical ContextAI

The vulnerability is rooted in CWE-798 (Use of Hard-Coded Credentials), a critical authentication control weakness where sensitive credentials are embedded directly in application code, configuration files, or binaries rather than being dynamically managed through secure credential stores. IBM Concert (cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*) fails to implement secure credential management practices across versions 1.0.0 through 2.2.0. Hard-coded credentials are particularly dangerous because they cannot be rotated post-deployment, cannot be individualized per installation, and become permanent security liabilities if the code is decompiled or configuration files are inspected. This weakness directly undermines the authentication mechanism that should verify user identity before granting system access.

RemediationAI

Immediately upgrade IBM Concert to version 2.3.0 or later, which contains the fix for hard-coded credentials (refer to vendor advisory at https://www.ibm.com/support/pages/node/7267105 for precise patching procedures). If immediate patching is not feasible, implement compensating controls: restrict local file system access to Concert installations using operating-system-level access controls (e.g., file permissions, SELinux, AppArmor) to limit exposure to local users; audit and rotate any credentials that may have been obtained from hard-coded sources; and monitor authentication logs for unauthorized access attempts. For environments where Concert must remain unpatched temporarily, isolate affected systems from untrusted users and conduct a thorough security review of any local accounts with potential access.

More from same product – last 7 days

CVE-2026-7524 CRITICAL
9.8 May 27

Remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.1 lets unauthenticated network attackers run arbitr
CVE-2026-8175 CRITICAL
9.8 May 27

Remote code execution and authentication bypass are possible in IBM Aspera High-Speed Transfer Server and High-Speed Tra
CVE-2026-7876 CRITICAL
9.1 May 27

Authentication bypass in IBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I) versions 1.5.1 throu
CVE-2026-5065 HIGH
8.8 May 27

Hard-coded credentials in IBM Controller (versions 11.0.1, 11.1.0, 11.1.1, and 11.1.2) give attackers a static, embedded
CVE-2026-8179 HIGH
8.8 May 27

Arbitrary code execution in IBM Aspera High-Speed Transfer Server and Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1)

Share

CVE-2025-12708 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy