Skip to main content

IBM CVE-2025-36438

| EUVDEUVD-2025-209027 MEDIUM
Improper Restriction of Communication Channel to Intended Endpoints (CWE-923)
2026-03-25 ibm
5.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 25, 2026 - 20:47 euvd
EUVD-2025-209027
Analysis Generated
Mar 25, 2026 - 20:47 vuln.today
Patch released
Mar 25, 2026 - 20:47 nvd
Patch available
CVE Published
Mar 25, 2026 - 20:31 nvd
MEDIUM 5.1

DescriptionCVE.org

IBM Concert 1.0.0 through 2.2.0 could allow a privileged user to perform unauthorized actions due to improper restriction of channel communication to intended endpoints.

AnalysisAI

IBM Concert versions 1.0.0 through 2.2.0 contain an improper channel communication restriction vulnerability that allows privileged users to perform unauthorized actions by bypassing intended endpoint controls. The vulnerability, classified as CWE-923 (Improper Restriction of Communication Channel to Intended Endpoints), has a CVSS score of 5.1 with medium integrity impact and is not currently listed in CISA's Known Exploited Vulnerabilities catalog, though a vendor patch is available.

Technical ContextAI

This vulnerability stems from inadequate validation and enforcement of channel communication restrictions in IBM Concert (CPE: cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*), a collaboration and orchestration platform. CWE-923 describes scenarios where applications fail to properly restrict communication to only intended endpoints or channels, potentially allowing attackers with elevated privileges to interact with unintended system components or services. In the context of IBM Concert, this likely involves inter-service communication, API gateways, or message queue channels that should be isolated but are accessible to privileged users through insufficient access controls or authentication mechanisms at the channel level rather than the application layer.

RemediationAI

Upgrade IBM Concert to version 2.2.1 or later immediately using the patch made available by IBM at https://www.ibm.com/support/pages/node/7267105. For environments where immediate patching is not feasible, implement network segmentation to restrict local access to Concert infrastructure, enforce strict access control lists on inter-service communication channels, audit and revoke unnecessary privileged accounts, and monitor channel communication logs for unauthorized endpoint access attempts. Additionally, ensure that all Concert instances operate with minimal required privileges and apply principle of least privilege to service accounts and administrative users.

Share

CVE-2025-36438 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy