Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
IBM CICS Transaction Gateway for Multiplatforms 9.3 and 10.1 could allow a user to transfer or view files due to improper access controls.
AnalysisAI
IBM CICS Transaction Gateway for Multiplatforms versions 9.3 and 10.1 contain an improper access control vulnerability (CWE-284) that allows local users to transfer or view files without authentication or authorization checks. An attacker with local system access can exploit this flaw to read sensitive data or modify files, resulting in confidentiality and integrity compromise with a CVSS base score of 5.1. This vulnerability affects a critical middleware component used in enterprise transaction processing environments.
Technical ContextAI
IBM CICS Transaction Gateway (CTG) is a middleware product that provides Java client connectivity to CICS transaction servers. The vulnerability stems from inadequate access control mechanisms in the file handling routines of CTG versions 9.3 and 10.1, classified under CWE-284 (Improper Access Control - Generic). The root cause is the failure to enforce proper authentication and authorization checks before allowing file operations, enabling any local process to interact with protected files managed by the CTG application. This affects the core authentication and file access logic within the gateway, which should restrict file operations to authenticated and authorized users only.
RemediationAI
Upgrade IBM CICS Transaction Gateway to a patched version released after the vulnerability disclosure. Organizations should immediately apply the latest security patches provided by IBM for both the 9.3 and 10.1 product lines. Until patches can be deployed, implement compensating controls by restricting local system access to the CTG installation directory and associated configuration files using operating system-level access controls (file permissions, ACLs), limiting which user accounts and processes can interact with the gateway. Additionally, enforce principle of least privilege for service accounts running CTG, disable unnecessary local shell access to systems hosting the gateway, and audit file access logs to detect any suspicious file transfer or viewing activity. Consult IBM's official security advisory at https://www.ibm.com/support/pages/security-bulletins for patch download links and compatibility guidance.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12071