CVE-2025-36440

| EUVD-2025-209029 MEDIUM
2026-03-25 ibm GHSA-p29m-v6j2-fcqm
5.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Mar 25, 2026 - 20:47 vuln.today
EUVD ID Assigned
Mar 25, 2026 - 20:47 euvd
EUVD-2025-209029
Patch Released
Mar 25, 2026 - 20:47 nvd
Patch available
CVE Published
Mar 25, 2026 - 20:34 nvd
MEDIUM 5.1

Tags

IBM Information Disclosure

Description

IBM Concert 1.0.0 through 2.2.0 could allow a local user to obtain sensitive information due to missing function level access control.

Analysis

IBM Concert versions 1.0.0 through 2.2.0 contain a missing function-level access control vulnerability that allows local users to obtain sensitive information without authentication. An attacker with local system access can bypass authorization checks to read confidential data stored within the application. While the CVSS score of 5.1 indicates moderate severity, the lack of authentication requirements and local attack vector present a meaningful risk in multi-tenant or shared system environments.

Technical Context

This vulnerability stems from inadequate implementation of function-level access control, classified under CWE-522 (Insufficiently Protected Credentials). IBM Concert, an enterprise collaboration and business process platform, fails to properly validate user permissions before exposing sensitive functionality. The affected versions (1.0.0 through 2.2.0) contain logic flaws where critical functions can be invoked without proper authentication or authorization checks. The vulnerability affects the core Concert application (identified via CPE cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*), meaning all installations within the affected version range are potentially exposed. This is a classic authorization bypass allowing horizontal privilege escalation or lateral movement from a compromised local account.

Affected Products

IBM Concert versions 1.0.0 through 2.2.0 are affected, as confirmed by the CPE designation cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*. All patch levels within this version range lack proper function-level access control. IBM has released patches to address this vulnerability; see the official IBM support page at https://www.ibm.com/support/pages/node/7267105 for the specific patched versions and download links. Organizations running Concert in production should verify their current version against the affected range and prioritize upgrades accordingly.

Remediation

Immediately upgrade IBM Concert to a patched version released after the vulnerability disclosure (consult the IBM support page at https://www.ibm.com/support/pages/node/7267105 for the specific target version and upgrade procedures). Before patching is feasible, apply compensating controls: restrict local system access through OS-level user account management and group policies, disable unnecessary local accounts, and implement filesystem-level access controls to prevent unauthorized process execution. Monitor Concert application logs for suspicious function invocations or unauthorized data access attempts. If Concert processes sensitive credentials, rotate all credentials post-remediation. Schedule patching during a maintenance window, as Concert is likely business-critical; test patches in a staging environment first to ensure compatibility with existing deployments.

Priority Score

26
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +26
POC: 0

Share

CVE-2025-36440 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy