Cyber Resilience

CVE-2025-33088

HighLPE

Published: 17 February 2026

Published
17 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 1.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-33088 is a high-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Ibm Concert. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Services File Permissions Weakness (T1574.010); ranked at the 1.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

IBM Concert versions 1.0.0 through 2.1.0 contain a vulnerability (CVE-2025-33088) due to incorrect file permissions (CWE-732) on critical resources, which could allow a local user with specific knowledge of the system's architecture to escalate privileges. The issue received a CVSS v3.1 base score of 7.4 (AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high impact but requiring local access and high attack complexity.

A local attacker with no privileges but detailed knowledge of the system's architecture could exploit the improper permissions to gain elevated privileges, potentially achieving high confidentiality, integrity, and availability impacts on the affected system.

IBM has published an advisory with mitigation details at https://www.ibm.com/support/pages/node/7260161. Security practitioners should consult this resource for patching instructions and workarounds applicable to affected IBM Concert installations.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

IBM Concert 1.0.0 through 2.1.0 could allow a local user with specific knowledge about the system's architecture to escalate their privileges due to incorrect file permissions for critical resources.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.010 Services File Permissions Weakness Stealth
Adversaries may execute their own malicious payloads by hijacking the binaries used by services.
Why these techniques?

Direct mapping to file system permissions weakness enabling local privilege escalation via CWE-732.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-36253Same product: Ibm Concert
CVE-2024-43178Same product: Ibm Concert
CVE-2024-38337Same product: Linux Linux Kernel
CVE-2024-41746Same product: Linux Linux Kernel
CVE-2024-41743Same product: Linux Linux Kernel
CVE-2025-13718Same product: Linux Linux Kernel
CVE-2025-13723Same product: Linux Linux Kernel
CVE-2025-13214Same product: Linux Linux Kernel
CVE-2024-45643Same product: Linux Linux Kernel
CVE-2025-13726Same product: Linux Linux Kernel

Affected Assets

ibm
concert
1.0.0 — 2.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces file and resource permissions so a local user cannot read or modify critical files to escalate privileges.

prevent

Requires that critical resources receive only the minimum permissions needed, directly blocking the CWE-732 misconfiguration that enables local escalation.

prevent

Mandates secure baseline settings for file permissions on installed software, preventing the default or misapplied permissions described in the CVE.

References