CVE-2025-64647

| EUVD-2025-209033 MEDIUM
2026-03-25 ibm GHSA-42vr-vvgx-qhgx
5.9
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 25, 2026 - 20:47 euvd
EUVD-2025-209033
Analysis Generated
Mar 25, 2026 - 20:47 vuln.today
Patch Released
Mar 25, 2026 - 20:47 nvd
Patch available
CVE Published
Mar 25, 2026 - 20:37 nvd
MEDIUM 5.9

Tags

IBM Information Disclosure

Description

IBM Concert 1.0.0 through 2.2.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information

Analysis

IBM Concert versions 1.0.0 through 2.2.0 implement cryptographic algorithms that are weaker than expected, allowing attackers to decrypt highly sensitive information without authentication. The vulnerability has a CVSS score of 5.9 with high confidentiality impact but no integrity or availability impact. A patch is available from IBM, and this represents a pure information disclosure risk affecting the confidentiality of encrypted data.

Technical Context

This vulnerability falls under CWE-1240 (Use of Insufficiently Trusted Data Source), which in this context refers to the use of cryptographic algorithms that do not provide adequate security strength. IBM Concert, an enterprise integration and orchestration platform, relies on cryptographic operations to protect sensitive configuration data, credentials, and inter-node communication. The weakness likely involves the use of deprecated or mathematically broken cryptographic primitives (such as weak key derivation functions, insufficient key lengths, or broken cipher suites) rather than modern standards like AES-256-GCM or ChaCha20-Poly1305. The affected CPE specification (cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*) indicates all Concert products across all versions from 1.0.0 through 2.2.0 are impacted.

Affected Products

IBM Concert versions 1.0.0 through 2.2.0 are affected, as confirmed by CPE cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*. All installations running any version within this range are vulnerable to decryption of sensitive data. IBM has released a patch available through their support portal at https://www.ibm.com/support/pages/node/7267105. Organizations should verify their current Concert version and cross-reference against the patched version number provided in the IBM security advisory.

Remediation

Upgrade IBM Concert to a patched version released after 2.2.0 as detailed in the IBM support advisory at https://www.ibm.com/support/pages/node/7267105. Until patching is completed, implement network-level controls including network segmentation to restrict Concert instances to trusted internal networks only, disable any unnecessary cryptographic data export features, and review access logs for evidence of unauthorized decryption attempts. If re-encryption of existing sensitive data with Concert is possible, perform a cryptographic key rotation using stronger algorithms after patching. Ensure that encrypted artifacts stored in backups or archives are inventoried and scheduled for re-encryption post-patch.

Priority Score

30
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +30
POC: 0

Share

CVE-2025-64647 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy