CVE-2025-1722

Medium

Published: 20 January 2026

Published

20 January 2026

Modified

26 January 2026

KEV Added

—

Patch

—

CVSS Score 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0006 17.6th percentile

Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1722 is a medium-severity Heap Inspection (CWE-244) vulnerability in Ibm Concert. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 17.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005).

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-4 Information in Shared System Resources

addresses: CWE-244

Forces clearing of heap memory contents prior to release, preventing subsequent processes from inspecting prior sensitive data.

SI-12 Information Management and Retention

addresses: CWE-244

Information management requirements drive clearing of sensitive contents from memory prior to release or reuse.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

Direct heap memory disclosure enables reading sensitive data from local process memory without requiring additional access methods.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory.

Deeper analysisAI

CVE-2025-1722 is a vulnerability in IBM Concert versions 1.0.0 through 2.1.0 that stems from improper clearing of heap memory before release, as classified under CWE-244. This flaw could allow a remote attacker to obtain sensitive information from allocated memory. The vulnerability has a CVSS v3.1 base score of 5.9, reflecting network accessibility, high attack complexity, no privileges or user interaction required, unchanged scope, high confidentiality impact, and no integrity or availability impact.

A remote attacker without privileges can exploit this over the network, though it requires high complexity to trigger the improper memory clearing. Successful exploitation enables disclosure of sensitive data lingering in heap memory, potentially exposing confidential information depending on what was previously stored there.

IBM's security advisory at https://www.ibm.com/support/pages/node/7257006 provides details on mitigation, including recommended patches or workarounds for affected Concert versions. Security practitioners should review this page promptly for version-specific remediation steps.

Details

CWE(s): CWE-244

Affected Products

ibm

concert

1.0.0 — 2.2.0

CVEs Like This One

CVE-2025-1719Same product: Ibm Concert

CVE-2025-64647Same product: Ibm Concert

CVE-2024-49354Same product: Ibm Concert

CVE-2025-33089Same product: Ibm Concert

CVE-2025-33015Same product: Ibm Concert

CVE-2024-52367Same product: Ibm Concert

CVE-2026-0977Same vendor: Ibm

CVE-2025-13108Same vendor: Ibm

CVE-2024-56340Same vendor: Ibm

CVE-2025-0162Same vendor: Ibm

References

https://www.ibm.com/support/pages/node/7257006
Vendor Advisory · psirt@us.ibm.com