Severity
High
Analysis Summary
CVE-2025-3356 CVSS:8.6
IBM Tivoli Monitoring 6.3.0.7 through 6.3.0.7 Service Pack 21 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view, overwrite, or append to arbitrary files on the system.
CVE-2025-3355 CVSS:7.5
IBM Tivoli Monitoring 6.3.0.7 through 6.3.0.7 Service Pack 21 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.
CVE-2025-36137 CVSS:7.2
IBM Sterling Connect Direct for Unix 6.2.0.7 through 6.2.0.9 iFix004, 6.4.0.0 through 6.4.0.2 iFix001, and 6.3.0.2 through 6.3.0.5 iFix002 incorrectly assigns permissions for maintenance tasks to Control Center Director (CCD) users that could allow a privileged user to escalate their privileges further due to unnecessary privilege assignment for post update scripts.
Impact
- Gain Access
Indicators of Compromise
CVE
CVE-2025-3356
CVE-2025-3355
CVE-2025-36137
Affected Vendors
- IBM
Affected Products
- IBM Tivoli Monitoring 6.3.0.7
- IBM Tivoli Monitoring 6.3.0.7:sp21
- IBM Sterling Connect:Direct for Unix 6.2.0.7
- IBM Sterling Connect:Direct for Unix 6.2.0.9 iFix004
- IBM Sterling Connect:Direct for Unix 6.4.0.0
- IBM Sterling Connect:Direct for Unix 6.4.0.2 iFix001
- IBM Sterling Connect:Direct for Unix 6.3.0.2
- IBM Sterling Connect:Direct for Unix 6.3.0.5 iFix002
Remediation
Refer to IBM Security Advisory for patch, upgrade, or suggested workaround information.