{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-36438", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2025-04-15T21:17:03.969Z", "datePublished": "2026-03-25T20:31:26.628Z", "dateUpdated": "2026-03-25T20:31:26.628Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-03-25T20:31:26.628Z"}, "title": "Multiple Vulnerabilities in IBM Concert Software", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-923", "description": "CWE-923 Improper Restriction of Communication Channel to Intended Endpoints", "type": "CWE"}]}], "affected": [{"vendor": "IBM", "product": "Concert", "versions": [{"status": "affected", "version": "1.0.0", "lessThanOrEqual": "2.2.0", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:concert:2.2.0:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "IBM Concert 1.0.0 through 2.2.0 could allow a privileged user to perform unauthorized actions due to improper restriction of channel communication to intended endpoints.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM Concert 1.0.0 through 2.2.0 could allow a privileged user to perform unauthorized actions due to improper restriction of channel communication to intended endpoints.</p>"}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7267105", "tags": ["vendor-advisory", "patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.1, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}}], "solutions": [{"lang": "en", "value": "IBM strongly recommends addressing the vulnerability now by upgrading to IBM Concert Software 2.3.1\n\nDownload IBM Concert Software 2.3.1 from Container software library section of IBM Entitled Registry ( ICR https://myibm.ibm.com/products-services/containerlibrary ) and follow\u00a0 installation instructions https://www.ibm.com/docs/en/concert \u00a0depending on the type of deployment.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM strongly recommends addressing the vulnerability now by upgrading to IBM Concert Software 2.3.1</p><p>Download IBM Concert Software 2.3.1 from Container software library section of IBM Entitled Registry (<a href=\"https://myibm.ibm.com/products-services/containerlibrary\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">ICR</a>) and follow&nbsp;<a href=\"https://www.ibm.com/docs/en/concert?topic=installing-preparing-run-installs-from-private-container-registry\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">installation instructions</a>&nbsp;depending on the type of deployment.</p>"}]}], "x_generator": {"engine": "ibm-cvegen"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Concert 1.0.0 through 2.2.0 could allow a privileged user to perform unauthorized actions due to improper restriction of channel communication to intended endpoints."}], "id": "CVE-2025-36438", "lastModified": "2026-03-25T21:16:25.283", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 3.6, "source": "psirt@us.ibm.com", "type": "Primary"}]}, "published": "2026-03-25T21:16:25.283", "references": [{"source": "psirt@us.ibm.com", "url": "https://www.ibm.com/support/pages/node/7267105"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-923"}], "source": "psirt@us.ibm.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T21:24:27.187877+00:00", "value": {"mitigation_remediation": ["Upgrade IBM Concert Software to version 2.3.1 following IBM\u2019s installation guidance", "Verify that the upgrade is successfully applied to all instances of IBM Concert in your environment", "Restrict privileged user accounts to the minimum permissions required to perform their roles"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized actions by privileged users"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to IBM Concert products, specifically versions 1.0.0, 1.x, and 2.2.0. IBM recommends upgrading to version 2.3.1, which can be obtained from the IBM Container Software Library, and provides installation instructions for both clustered and non\u2011clustered deployments.", "description_and_impact": "IBM Concert software versions 1.0.0 through 2.2.0 contain a flaw that allows a user who already holds privileged access to perform actions against unintended endpoints, because channel communication is not properly restricted to its intended destinations. The weakness, identified as CWE\u2011923, has the potential to enable unauthorized data manipulation or compromise of system integrity, and is reflected in a CVSS score of 5.1 indicating moderate risk.", "risk_and_exploitability": "The flaw is not listed in the CISA KEV catalog and no EPSS score is available, suggesting that no widespread exploitation has been observed. The likely attack vector requires a user who already has legitimate privileged access; once compromised, the attacker can execute unauthorized actions within the scope of their privileges. While the risk is moderate to high for environments that demand strict endpoint segregation, immediate patching remains the definitive protective measure."}}}}, "created": "2026-03-25T21:46:08.239887+00:00", "updated": "2026-03-25T21:46:08.239924+00:00", "vendors": []}