Skip to main content

Aix EUVDEUVD-2025-17693

| CVE-2025-33112 HIGH
Relative Path Traversal (CWE-23)
2025-06-10 psirt@us.ibm.com
8.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 19:49 euvd
EUVD-2025-17693
Analysis Generated
Mar 14, 2026 - 19:49 vuln.today
CVE Published
Jun 10, 2025 - 17:23 nvd
HIGH 8.4

DescriptionCVE.org

IBM AIX 7.3 and IBM VIOS 4.1.1 Perl implementation could allow a non-privileged local user to exploit a vulnerability to execute arbitrary code due to improper neutralization of pathname input.

AnalysisAI

Local privilege escalation vulnerability in IBM AIX 7.3 and IBM VIOS 4.1.1's Perl implementation that allows non-privileged local users to execute arbitrary code through improper pathname neutralization (path traversal). With a CVSS score of 8.4 and no authentication requirement, this represents a critical risk for AIX environments where local user access exists. The vulnerability's active exploitation status and proof-of-concept availability would significantly elevate real-world risk.

Technical ContextAI

The vulnerability exists in the Perl implementation bundled with IBM AIX and VIOS, specifically in how pathname inputs are processed. CWE-23 (Relative Path Traversal) indicates the root cause involves improper neutralization of special path elements (such as '..' or symbolic links) in user-supplied pathname input. The Perl interpreter fails to adequately sanitize or validate file paths before using them in operations, allowing attackers to traverse directory boundaries and access or execute files outside intended directories. Affected CPE strings include cpe:2.3:o:ibm:aix:7.3:*:*:*:*:*:*:* and cpe:2.3:o:ibm:vios:4.1.1:*:*:*:*:*:*:*. This is particularly dangerous because Perl is commonly used for system administration scripts and utilities that may run with elevated privileges or in sensitive contexts.

RemediationAI

IBM should release security patches for AIX 7.3 and VIOS 4.1.1 addressing improper pathname neutralization in Perl. Pending patch availability: (1) Check IBM Security Advisories portal for CVE-2025-33112 patches and apply immediately to all affected systems; (2) If patches are unavailable, restrict local user access to affected AIX systems through access controls and privilege separation; (3) Review Perl scripts and applications for hardcoded path assumptions and implement input validation for any user-supplied pathname parameters; (4) Monitor AIX audit logs for suspicious file access patterns or Perl script executions; (5) Consider implementing Security Enhanced Linux (SELinux) or AIX's native mandatory access controls (MAC) to limit damage from arbitrary code execution; (6) Segment network architecture to isolate AIX systems and limit lateral movement if a local compromise occurs. Contact IBM support for vendor-specific patch timelines and advisories.

More in Aix

View all
CVE-2024-56346 CRITICAL
10.0 Mar 18

IBM AIX 7.2 and 7.3 nimesis NIM master service could allow a remote attacker to execute arbitrary commands due to improp

CVE-2024-56347 CRITICAL
9.6 Mar 18

IBM AIX 7.2 and 7.3 nimsh service SSL/TLS protection mechanisms could allow a remote attacker to execute arbitrary comma

CVE-2025-62230 HIGH
7.3 Oct 30

Use-after-free memory corruption in X.Org X server's Xkb extension allows local authenticated attackers to achieve high

CVE-2025-62231 HIGH
7.3 Oct 30

Local privilege escalation in X.Org X server's Xkb extension affects RHEL-family distributions, allowing authenticated u

CVE-2026-0990 MEDIUM
5.9 Jan 15

libxml2's xmlCatalogXMLResolveURI function is vulnerable to uncontrolled recursion when processing self-referencing dele

CVE-2026-0989 LOW
3.7 Jan 15

A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser

CVE-2026-0992 LOW
2.9 Jan 15

A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML

CVE-2025-8732 LOW
1.9 Aug 08

A vulnerability was found in libxml2 up to 2.14.5. Rated medium severity (CVSS 4.8), this vulnerability is low attack co

CVE-2025-36251 CRITICAL
9.6 Nov 13

IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 nimsh service SSL/TLS implementations could allow a remote attacker to ex

CVE-2025-36250 CRITICAL
10.0 Nov 13

IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 NIM server (formerly known as NIM master) service (nimesis) could allow a

CVE-2025-36236 HIGH
8.2 Nov 13

IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 NIM server (formerly known as NIM master) service (nimesis) could allow a

CVE-2025-36096 CRITICAL
9.0 Nov 13

IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 stores NIM private keys used in NIM environments in an insecure way which

Share

EUVD-2025-17693 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy