Skip to main content

IBM CVE-2025-64648

| EUVD-2025-209035 MEDIUM
Cleartext Transmission of Sensitive Information (CWE-319)
2026-03-25 ibm GHSA-2q55-36vw-45v7
Information Disclosure IBM
5.9
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 25, 2026 - 20:47 euvd
EUVD-2025-209035
Analysis Generated
Mar 25, 2026 - 20:47 vuln.today
Patch released
Mar 25, 2026 - 20:47 nvd
Patch available
CVE Published
Mar 25, 2026 - 20:38 nvd
MEDIUM 5.9

DescriptionNVD

IBM Concert 1.0.0 through 2.2.0 transmits data in clear text that could allow an attacker to obtain sensitive information using man in the middle techniques.

AnalysisAI

IBM Concert versions 1.0.0 through 2.2.0 transmit sensitive data in cleartext, allowing attackers to intercept and read this information via man-in-the-middle (MITM) attacks. The vulnerability affects all versions within the specified range of the IBM Concert application. An attacker positioned on the network path between a client and Concert server can eavesdrop on communications to obtain confidential information, though exploitation requires moderate attack complexity and active network positioning.

Technical ContextAI

This vulnerability is classified under CWE-319 (Cleartext Transmission of Sensitive Information), which describes the failure to encrypt data in transit. IBM Concert (identified via CPE cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*) fails to implement mandatory encryption protocols for sensitive data transmission. Rather than leveraging secure transport mechanisms such as TLS/SSL, the application transmits data over unencrypted channels, making it trivially readable to any attacker with network access or the ability to perform ARP spoofing, DNS hijacking, or BGP hijacking to position themselves on the data path. The root cause is an architectural or configuration decision to prioritize compatibility or performance over security, a common pattern in legacy enterprise applications.

RemediationAI

Upgrade IBM Concert to version 2.2.1 or later as provided by IBM (see https://www.ibm.com/support/pages/node/7267105). For organizations unable to patch immediately, implement network-level controls including deployment of Concert behind a TLS-terminating reverse proxy or API gateway that enforces encrypted communication between clients and the proxy, apply network segmentation to restrict Concert access to trusted internal networks only, disable any cleartext ports and force all traffic through encrypted channels, and monitor network traffic for suspicious patterns indicative of MITM attempts. Additionally, consider implementing certificate pinning on client applications to detect and prevent interception attacks even if network-level controls are bypassed.

More from same product – last 7 days

CVE-2026-7524 CRITICAL
9.8 May 27

Remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.1 lets unauthenticated network attackers run arbitr
CVE-2026-8175 CRITICAL
9.8 May 27

Remote code execution and authentication bypass are possible in IBM Aspera High-Speed Transfer Server and High-Speed Tra
CVE-2026-5065 HIGH
8.8 May 27

Hard-coded credentials in IBM Controller (versions 11.0.1, 11.1.0, 11.1.1, and 11.1.2) give attackers a static, embedded
CVE-2026-8179 HIGH
8.8 May 27

Arbitrary code execution in IBM Aspera High-Speed Transfer Server and Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1)
CVE-2026-7365 HIGH
8.4 May 27

Authentication bypass in IBM Operations Analytics - Log Analysis and IBM SmartCloud Analytics - Log Analysis (Operations

Share

CVE-2025-64648 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy