CVE-2025-33088
Published: 17 February 2026
Summary
CVE-2025-33088 is a high-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Ibm Concert. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Services File Permissions Weakness (T1574.010); ranked at the 1.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
IBM Concert versions 1.0.0 through 2.1.0 contain a vulnerability (CVE-2025-33088) due to incorrect file permissions (CWE-732) on critical resources, which could allow a local user with specific knowledge of the system's architecture to escalate privileges. The issue received a CVSS v3.1 base score of 7.4 (AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high impact but requiring local access and high attack complexity.
A local attacker with no privileges but detailed knowledge of the system's architecture could exploit the improper permissions to gain elevated privileges, potentially achieving high confidentiality, integrity, and availability impacts on the affected system.
IBM has published an advisory with mitigation details at https://www.ibm.com/support/pages/node/7260161. Security practitioners should consult this resource for patching instructions and workarounds applicable to affected IBM Concert installations.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207833
Vulnerability details
IBM Concert 1.0.0 through 2.1.0 could allow a local user with specific knowledge about the system's architecture to escalate their privileges due to incorrect file permissions for critical resources.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct mapping to file system permissions weakness enabling local privilege escalation via CWE-732.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces file and resource permissions so a local user cannot read or modify critical files to escalate privileges.
Requires that critical resources receive only the minimum permissions needed, directly blocking the CWE-732 misconfiguration that enables local escalation.
Mandates secure baseline settings for file permissions on installed software, preventing the default or misapplied permissions described in the CVE.