CVE-2025-33089
Published: 17 February 2026
Summary
CVE-2025-33089 is a medium-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Ibm Concert. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 13.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2025-33089 is a vulnerability in IBM Concert versions 1.0.0 through 2.1.0 stemming from the use of hard-coded user credentials, classified under CWE-798. This flaw enables a remote attacker to obtain sensitive information or perform unauthorized actions by leveraging the embedded credentials. The vulnerability carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N), indicating medium severity with network accessibility, low attack complexity, no required privileges or user interaction, and low impacts on confidentiality and integrity.
A remote attacker without authentication can exploit this vulnerability over the network with minimal effort. Successful exploitation allows disclosure of low-sensitivity information and limited unauthorized modifications, such as actions that rely on the hard-coded credentials' privileges, without affecting availability.
IBM has published an advisory with mitigation details at https://www.ibm.com/support/pages/node/7260162, published on 2026-02-17. Security practitioners should consult this resource for patch information and remediation steps specific to affected IBM Concert deployments.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207700
Vulnerability details
IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information or perform unauthorized actions due to the use of hard coded user credentials.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hard-coded credentials directly enable use of default/embedded valid accounts for unauthorized access and actions.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
IA-5 requires secure authenticator management and explicitly prohibits embedding hard-coded credentials in software, directly blocking the root cause of CVE-2025-33089.
AC-3 enforces validated access decisions before granting any privileges, preventing the unauthenticated actions enabled by the hard-coded credentials in IBM Concert.
CM-6 mandates secure configuration settings that would disallow hard-coded credentials in deployed IBM Concert instances.