Skip to main content

IBM CVE-2025-36440

| EUVDEUVD-2025-209029 MEDIUM
Insufficiently Protected Credentials (CWE-522)
2026-03-25 ibm GHSA-p29m-v6j2-fcqm
5.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 25, 2026 - 20:47 euvd
EUVD-2025-209029
Analysis Generated
Mar 25, 2026 - 20:47 vuln.today
Patch released
Mar 25, 2026 - 20:47 nvd
Patch available
CVE Published
Mar 25, 2026 - 20:34 nvd
MEDIUM 5.1

DescriptionCVE.org

IBM Concert 1.0.0 through 2.2.0 could allow a local user to obtain sensitive information due to missing function level access control.

AnalysisAI

IBM Concert versions 1.0.0 through 2.2.0 contain a missing function-level access control vulnerability that allows local users to obtain sensitive information without authentication. An attacker with local system access can bypass authorization checks to read confidential data stored within the application. While the CVSS score of 5.1 indicates moderate severity, the lack of authentication requirements and local attack vector present a meaningful risk in multi-tenant or shared system environments.

Technical ContextAI

This vulnerability stems from inadequate implementation of function-level access control, classified under CWE-522 (Insufficiently Protected Credentials). IBM Concert, an enterprise collaboration and business process platform, fails to properly validate user permissions before exposing sensitive functionality. The affected versions (1.0.0 through 2.2.0) contain logic flaws where critical functions can be invoked without proper authentication or authorization checks. The vulnerability affects the core Concert application (identified via CPE cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*), meaning all installations within the affected version range are potentially exposed. This is a classic authorization bypass allowing horizontal privilege escalation or lateral movement from a compromised local account.

RemediationAI

Immediately upgrade IBM Concert to a patched version released after the vulnerability disclosure (consult the IBM support page at https://www.ibm.com/support/pages/node/7267105 for the specific target version and upgrade procedures). Before patching is feasible, apply compensating controls: restrict local system access through OS-level user account management and group policies, disable unnecessary local accounts, and implement filesystem-level access controls to prevent unauthorized process execution. Monitor Concert application logs for suspicious function invocations or unauthorized data access attempts. If Concert processes sensitive credentials, rotate all credentials post-remediation. Schedule patching during a maintenance window, as Concert is likely business-critical; test patches in a staging environment first to ensure compatibility with existing deployments.

Share

CVE-2025-36440 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy