Cyber Resilience

CVE-2025-33089

Medium

Published: 17 February 2026

Published
17 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.0023 13.0th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2025-33089 is a medium-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Ibm Concert. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 13.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2025-33089 is a vulnerability in IBM Concert versions 1.0.0 through 2.1.0 stemming from the use of hard-coded user credentials, classified under CWE-798. This flaw enables a remote attacker to obtain sensitive information or perform unauthorized actions by leveraging the embedded credentials. The vulnerability carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N), indicating medium severity with network accessibility, low attack complexity, no required privileges or user interaction, and low impacts on confidentiality and integrity.

A remote attacker without authentication can exploit this vulnerability over the network with minimal effort. Successful exploitation allows disclosure of low-sensitivity information and limited unauthorized modifications, such as actions that rely on the hard-coded credentials' privileges, without affecting availability.

IBM has published an advisory with mitigation details at https://www.ibm.com/support/pages/node/7260162, published on 2026-02-17. Security practitioners should consult this resource for patch information and remediation steps specific to affected IBM Concert deployments.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information or perform unauthorized actions due to the use of hard coded user credentials.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Hard-coded credentials directly enable use of default/embedded valid accounts for unauthorized access and actions.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-64647Same product: Ibm Concert
CVE-2025-1719Same product: Ibm Concert
CVE-2025-33015Same product: Ibm Concert
CVE-2024-52367Same product: Ibm Concert
CVE-2025-1722Same product: Ibm Concert
CVE-2024-49354Same product: Ibm Concert
CVE-2026-7365Same vendor: Ibm
CVE-2026-5065Same vendor: Ibm
CVE-2026-26218Shared CWE-798
CVE-2026-24346Shared CWE-798

Affected Assets

ibm
concert
1.0.0 — 2.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 requires secure authenticator management and explicitly prohibits embedding hard-coded credentials in software, directly blocking the root cause of CVE-2025-33089.

prevent

AC-3 enforces validated access decisions before granting any privileges, preventing the unauthenticated actions enabled by the hard-coded credentials in IBM Concert.

prevent

CM-6 mandates secure configuration settings that would disallow hard-coded credentials in deployed IBM Concert instances.

References