CVE-2025-64648

| EUVD-2025-209035 MEDIUM
2026-03-25 ibm GHSA-2q55-36vw-45v7
5.9
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 25, 2026 - 20:47 euvd
EUVD-2025-209035
Analysis Generated
Mar 25, 2026 - 20:47 vuln.today
Patch Released
Mar 25, 2026 - 20:47 nvd
Patch available
CVE Published
Mar 25, 2026 - 20:38 nvd
MEDIUM 5.9

Tags

IBM Information Disclosure

Description

IBM Concert 1.0.0 through 2.2.0 transmits data in clear text that could allow an attacker to obtain sensitive information using man in the middle techniques.

Analysis

IBM Concert versions 1.0.0 through 2.2.0 transmit sensitive data in cleartext, allowing attackers to intercept and read this information via man-in-the-middle (MITM) attacks. The vulnerability affects all versions within the specified range of the IBM Concert application. An attacker positioned on the network path between a client and Concert server can eavesdrop on communications to obtain confidential information, though exploitation requires moderate attack complexity and active network positioning.

Technical Context

This vulnerability is classified under CWE-319 (Cleartext Transmission of Sensitive Information), which describes the failure to encrypt data in transit. IBM Concert (identified via CPE cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*) fails to implement mandatory encryption protocols for sensitive data transmission. Rather than leveraging secure transport mechanisms such as TLS/SSL, the application transmits data over unencrypted channels, making it trivially readable to any attacker with network access or the ability to perform ARP spoofing, DNS hijacking, or BGP hijacking to position themselves on the data path. The root cause is an architectural or configuration decision to prioritize compatibility or performance over security, a common pattern in legacy enterprise applications.

Affected Products

IBM Concert versions 1.0.0 through 2.2.0 are affected, as confirmed by the CPE identifier cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*. Organizations running any version within this range should immediately assess their deployment. A patch is available from IBM; refer to the vendor security advisory at https://www.ibm.com/support/pages/node/7267105 for guidance on upgrading to the remediated version.

Remediation

Upgrade IBM Concert to version 2.2.1 or later as provided by IBM (see https://www.ibm.com/support/pages/node/7267105). For organizations unable to patch immediately, implement network-level controls including deployment of Concert behind a TLS-terminating reverse proxy or API gateway that enforces encrypted communication between clients and the proxy, apply network segmentation to restrict Concert access to trusted internal networks only, disable any cleartext ports and force all traffic through encrypted channels, and monitor network traffic for suspicious patterns indicative of MITM attempts. Additionally, consider implementing certificate pinning on client applications to detect and prevent interception attacks even if network-level controls are bypassed.

Priority Score

30
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +30
POC: 0

Share

CVE-2025-64648 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy