CVE-2025-36438

| EUVD-2025-209027 MEDIUM
2026-03-25 ibm
5.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Mar 25, 2026 - 20:47 vuln.today
EUVD ID Assigned
Mar 25, 2026 - 20:47 euvd
EUVD-2025-209027
Patch Released
Mar 25, 2026 - 20:47 nvd
Patch available
CVE Published
Mar 25, 2026 - 20:31 nvd
MEDIUM 5.1

Tags

IBM Authentication Bypass

Description

IBM Concert 1.0.0 through 2.2.0 could allow a privileged user to perform unauthorized actions due to improper restriction of channel communication to intended endpoints.

Analysis

IBM Concert versions 1.0.0 through 2.2.0 contain an improper channel communication restriction vulnerability that allows privileged users to perform unauthorized actions by bypassing intended endpoint controls. The vulnerability, classified as CWE-923 (Improper Restriction of Communication Channel to Intended Endpoints), has a CVSS score of 5.1 with medium integrity impact and is not currently listed in CISA's Known Exploited Vulnerabilities catalog, though a vendor patch is available.

Technical Context

This vulnerability stems from inadequate validation and enforcement of channel communication restrictions in IBM Concert (CPE: cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*), a collaboration and orchestration platform. CWE-923 describes scenarios where applications fail to properly restrict communication to only intended endpoints or channels, potentially allowing attackers with elevated privileges to interact with unintended system components or services. In the context of IBM Concert, this likely involves inter-service communication, API gateways, or message queue channels that should be isolated but are accessible to privileged users through insufficient access controls or authentication mechanisms at the channel level rather than the application layer.

Affected Products

IBM Concert versions 1.0.0 through 2.2.0 are affected by this vulnerability. The affected software is identified via CPE cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*. Organizations using any version within this range should prioritize upgrading to version 2.2.1 or later. IBM has published a security advisory with patch details available at https://www.ibm.com/support/pages/node/7267105.

Remediation

Upgrade IBM Concert to version 2.2.1 or later immediately using the patch made available by IBM at https://www.ibm.com/support/pages/node/7267105. For environments where immediate patching is not feasible, implement network segmentation to restrict local access to Concert infrastructure, enforce strict access control lists on inter-service communication channels, audit and revoke unnecessary privileged accounts, and monitor channel communication logs for unauthorized endpoint access attempts. Additionally, ensure that all Concert instances operate with minimal required privileges and apply principle of least privilege to service accounts and administrative users.

Priority Score

26
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +26
POC: 0

Share

CVE-2025-36438 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy