CVE-2025-33089
Published: 17 February 2026
Summary
CVE-2025-33089 is a medium-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Ibm Concert. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 16.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Enables users to notice when hard-coded credentials have been exploited for unauthorized access.
Security training explicitly warns against hard-coded credentials, lowering their use in systems.
Policy and procedures prohibit hard-coded credentials in favor of managed authentication.
External identity providers eliminate the need for hard-coded credentials in applications.
Changing default authenticators prior to first use and protecting content prevents use of hard-coded credentials.
Central credential stores and rotation policies remove the need for hard-coded credentials in configuration files or code.
Intelligence programs surface reports of campaigns that abuse hard-coded credentials in products, prompting removal or replacement and thereby reducing successful exploitation.
Planned investment enables secure credential storage and management systems instead of hard-coded credentials.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hard-coded credentials directly enable use of default/embedded valid accounts for unauthorized access and actions.
NVD Description
IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information or perform unauthorized actions due to the use of hard coded user credentials.
Deeper analysisAI
CVE-2025-33089 is a vulnerability in IBM Concert versions 1.0.0 through 2.1.0 stemming from the use of hard-coded user credentials, classified under CWE-798. This flaw enables a remote attacker to obtain sensitive information or perform unauthorized actions by leveraging the embedded credentials. The vulnerability carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N), indicating medium severity with network accessibility, low attack complexity, no required privileges or user interaction, and low impacts on confidentiality and integrity.
A remote attacker without authentication can exploit this vulnerability over the network with minimal effort. Successful exploitation allows disclosure of low-sensitivity information and limited unauthorized modifications, such as actions that rely on the hard-coded credentials' privileges, without affecting availability.
IBM has published an advisory with mitigation details at https://www.ibm.com/support/pages/node/7260162, published on 2026-02-17. Security practitioners should consult this resource for patch information and remediation steps specific to affected IBM Concert deployments.
Details
- CWE(s)