Skip to main content

IBM CVE-2025-64647

| EUVD-2025-209033 MEDIUM
Use of a Cryptographic Primitive with a Risky Implementation (CWE-1240)
2026-03-25 ibm GHSA-42vr-vvgx-qhgx
Information Disclosure IBM
5.9
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 25, 2026 - 20:47 euvd
EUVD-2025-209033
Analysis Generated
Mar 25, 2026 - 20:47 vuln.today
Patch released
Mar 25, 2026 - 20:47 nvd
Patch available
CVE Published
Mar 25, 2026 - 20:37 nvd
MEDIUM 5.9

DescriptionNVD

IBM Concert 1.0.0 through 2.2.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information

AnalysisAI

IBM Concert versions 1.0.0 through 2.2.0 implement cryptographic algorithms that are weaker than expected, allowing attackers to decrypt highly sensitive information without authentication. The vulnerability has a CVSS score of 5.9 with high confidentiality impact but no integrity or availability impact. A patch is available from IBM, and this represents a pure information disclosure risk affecting the confidentiality of encrypted data.

Technical ContextAI

This vulnerability falls under CWE-1240 (Use of Insufficiently Trusted Data Source), which in this context refers to the use of cryptographic algorithms that do not provide adequate security strength. IBM Concert, an enterprise integration and orchestration platform, relies on cryptographic operations to protect sensitive configuration data, credentials, and inter-node communication. The weakness likely involves the use of deprecated or mathematically broken cryptographic primitives (such as weak key derivation functions, insufficient key lengths, or broken cipher suites) rather than modern standards like AES-256-GCM or ChaCha20-Poly1305. The affected CPE specification (cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*) indicates all Concert products across all versions from 1.0.0 through 2.2.0 are impacted.

RemediationAI

Upgrade IBM Concert to a patched version released after 2.2.0 as detailed in the IBM support advisory at https://www.ibm.com/support/pages/node/7267105. Until patching is completed, implement network-level controls including network segmentation to restrict Concert instances to trusted internal networks only, disable any unnecessary cryptographic data export features, and review access logs for evidence of unauthorized decryption attempts. If re-encryption of existing sensitive data with Concert is possible, perform a cryptographic key rotation using stronger algorithms after patching. Ensure that encrypted artifacts stored in backups or archives are inventoried and scheduled for re-encryption post-patch.

More from same product – last 7 days

CVE-2026-7524 CRITICAL
9.8 May 27

Remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.1 lets unauthenticated network attackers run arbitr
CVE-2026-8175 CRITICAL
9.8 May 27

Remote code execution and authentication bypass are possible in IBM Aspera High-Speed Transfer Server and High-Speed Tra
CVE-2026-7876 CRITICAL
9.1 May 27

Authentication bypass in IBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I) versions 1.5.1 throu
CVE-2026-5065 HIGH
8.8 May 27

Hard-coded credentials in IBM Controller (versions 11.0.1, 11.1.0, 11.1.1, and 11.1.2) give attackers a static, embedded
CVE-2026-8179 HIGH
8.8 May 27

Arbitrary code execution in IBM Aspera High-Speed Transfer Server and Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1)

Share

CVE-2025-64647 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy