Severity
High
Analysis Summary
CVE-2025-36041 CVSS:4.7
IBM MQ Operator LTS, MQ Operator CD, and MQ Operator SC2 Native HA CRR could be configured with a private key and chain other than the intended key which could disclose sensitive information or allow the attacker to perform unauthorized actions.
CVE-2025-1411 CVSS:7.8
IBM Security Verify Directory Container could allow a local user to execute commands as root due to execution with unnecessary privileges.
CVE-2025-0923 CVSS:5.3
IBM Cognos Analytics stores source code on the web server, which could aid in further attacks against the system.
CVE-2025-25032 CVSS:7.5
IBM Cognos Analytics could allow an authenticated user to cause a denial of service by sending a specially crafted request that would exhaust memory resources.
CVE-2025-0917 CVSS:5.5
IBM Cognos Analytics is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2025-3473 CVSS:6.7
IBM Security Guardium could allow a local privileged user to escalate their privileges to root due to insecure inherited permissions created by the program.
Impact
- Information Disclosure
- Denial of Service
- Cross-Site Scripting
- Privilege Escalation
- Code Execution
Indicators of Compromise
CVE
CVE-2025-36041
CVE-2025-1411
CVE-2025-0923
CVE-2025-0917
CVE-2025-25032
CVE-2025-3473
Affected Vendors
- IBM
Affected Products
- IBM Mq Operator - 3.1.3 LTS
- IBM MQ Operator CD
- IBM Mq Operator 3.1.0Ibm
- IBM Security Verify Directory - 10.0.0
- IBM Security Verify Directory - 10.0.3
- IBM Cognos Analytics - 11.2.0
- IBM Cognos Analytics - 11.2.1
- IBM Cognos Analytics - 11.2.2
- IBM Cognos Analytics - 11.2.3
- IBM Cognos Analytics - 11.2.4
- IBM Security Guardium - 12.1
Remediation
Refer to the IBM Security Advisory for patch, upgrade, or suggested workaround information.