What is the CVSS score of CVE-2025-36258?

CVE-2025-36258 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of IBM are affected by CVE-2025-36258?

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain a critical flaw that exposes stored user credentials and sensitive data in plain text to any local system user.. A patch is available.

How to fix or mitigate CVE-2025-36258?

Within 24 hours: Identify all systems running InfoSphere versions 11.7.0.0-11.7.1.6 and restrict local access to affected servers; notify information security and data governance teams. Within 7 days: Apply IBM's available patch to all vulnerable instances, prioritizing systems handling sensitive or regulated data. Within 30 days: Complete patch deployment across all environments and verify remediation; conduct access review for any accounts present on affected systems during exposure window.

IBM CVE-2025-36258

EUVD-2025-209023 HIGH

Plaintext Storage of a Password (CWE-256)

2026-03-25 ibm

GHSA-ppqh-5g92-f826

Information Disclosure IBM

7.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 25, 2026 - 20:47 euvd

EUVD-2025-209023

Analysis Generated

Mar 25, 2026 - 20:47 vuln.today

Patch released

Mar 25, 2026 - 20:47 nvd

Patch available

CVE Published

Mar 25, 2026 - 20:25 nvd

HIGH 7.1

DescriptionNVD

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 product stores user credentials and other sensitive information in plain text which can be read by a local user.

AnalysisAI

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 store user credentials and other sensitive information in plain text, allowing local users to read this data. This is a high-severity information disclosure vulnerability with a CVSS score of 7.1, primarily due to the potential for complete confidentiality breach across security boundaries. A patch is available from IBM, and there is no evidence of active exploitation or public proof-of-concept at this time.

Technical ContextAI

IBM InfoSphere Information Server is an enterprise data integration and governance platform used for ETL (extract, transform, load) operations and master data management. The vulnerability stems from CWE-256 (Plaintext Storage of a Password), indicating that the application persists sensitive credentials and potentially other confidential data in unencrypted form on the filesystem or in configuration files. The affected product is identified via CPE cpe:2.3:a:ibm:infosphere_information_server spanning all versions from 11.7.0.0 through 11.7.1.6. This type of vulnerability typically arises from insufficient application of cryptographic protections during credential storage, making the data readable by any user with local filesystem access.

RemediationAI

Apply the security patch provided by IBM as documented in the vendor advisory at https://www.ibm.com/support/pages/node/7266489. The advisory contains specific upgrade instructions and patch files for InfoSphere Information Server 11.7.x versions. Until patching can be completed, implement compensating controls including strict filesystem permissions to limit local access to InfoSphere installation directories, enhanced monitoring for unauthorized access to credential storage locations, and segregation of InfoSphere servers to prevent untrusted local users from gaining access. Review and rotate any credentials that may have been stored in plain text to prevent potential abuse of previously exposed data.

More from same product – last 7 days

CVE-2026-7524 CRITICAL Act Now

9.8 May 27

Remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.1 lets unauthenticated network attackers run arbitr

CVE-2026-8175 CRITICAL Act Now

9.8 May 27

Remote code execution and authentication bypass are possible in IBM Aspera High-Speed Transfer Server and High-Speed Tra

CVE-2026-5065 HIGH This Week

8.8 May 27

Hard-coded credentials in IBM Controller (versions 11.0.1, 11.1.0, 11.1.1, and 11.1.2) give attackers a static, embedded

CVE-2026-8179 HIGH This Week

8.8 May 27

Arbitrary code execution in IBM Aspera High-Speed Transfer Server and Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1)

CVE-2026-7365 HIGH This Week

8.4 May 27

Authentication bypass in IBM Operations Analytics - Log Analysis and IBM SmartCloud Analytics - Log Analysis (Operations

CVE-2025-36258 vulnerability details – vuln.today

Back

IBM CVE-2025-36258

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code