CVE-2025-33077

High

Published: 23 July 2025

Published

23 July 2025

Modified

07 August 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0014 33.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-33077 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Ibm Engineering Systems Design Rhapsody. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely identification, reporting, and remediation of the stack-based buffer overflow vulnerability through patching, preventing exploitation.

SI-16 Memory Protection good match

prevent

Implements memory protections such as stack canaries, ASLR, and non-executable stacks to block arbitrary code execution from buffer overflows.

SI-10 Information Input Validation good match

prevent

Enforces bounds checking and validation of inputs to the vulnerable Rhapsody application, directly countering the improper bounds checking causing the overflow.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Stack-based buffer overflow (CWE-119) with network vector and arbitrary code execution directly maps to exploitation of a public-facing application for initial code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

IBM Engineering Systems Design Rhapsody 9.0.2, 10.0, and 10.0.1 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A local user could overflow the buffer and execute arbitrary code on the system.

Deeper analysisAI

IBM Engineering Systems Design Rhapsody versions 9.0.2, 10.0, and 10.0.1 are affected by CVE-2025-33077, a stack-based buffer overflow vulnerability caused by improper bounds checking (CWE-119). Published on 2025-07-23, the flaw carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

A local user could exploit the vulnerability by overflowing the buffer, enabling execution of arbitrary code on the system. The CVSS vector suggests network accessibility with low privileges required, no user interaction needed, and unchanged scope, allowing an attacker to achieve high confidentiality, integrity, and availability impacts.

IBM has published an advisory with details on the vulnerability at https://www.ibm.com/support/pages/node/7240375, which security practitioners should consult for mitigation guidance and patch information.

Details

CWE(s): CWE-119

Affected Products

ibm

engineering systems design rhapsody

10.0, 10.0.1, 9.0.2

CVEs Like This One

CVE-2025-33076Same product: Ibm Engineering Systems Design Rhapsody

CVE-2024-49352Same vendor: Ibm

CVE-2023-49886Same vendor: Ibm

CVE-2026-1343Same vendor: Ibm

CVE-2025-14914Same vendor: Ibm

CVE-2025-36379Same vendor: Ibm

CVE-2026-1264Same vendor: Ibm

CVE-2025-0160Same vendor: Ibm

CVE-2025-0159Same vendor: Ibm

CVE-2025-0975Same vendor: Ibm

References

https://www.ibm.com/support/pages/node/7240375
Vendor Advisory · psirt@us.ibm.com