CVE-2025-36094

Medium

Published: 03 February 2026

Published

03 February 2026

Modified

25 February 2026

KEV Added

—

Patch

—

CVSS Score 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

EPSS Score 0.0007 21.6th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-36094 is a medium-severity Improper Validation of Specified Quantity in Input (CWE-1284) vulnerability in Ibm Cloud Pak For Business Automation. Its CVSS base score is 5.4 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 21.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004) and 1 other technique.

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

Improper input length validation enables authenticated network exploitation to trigger application DoS (T1499.004) or stored data corruption/manipulation (T1565.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 007 could allow an authenticated user to cause a denial of service or corrupt existing data…

due to the improper validation of input length.

Deeper analysisAI

CVE-2025-36094 is a vulnerability in IBM Cloud Pak for Business Automation affecting versions 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 007. It stems from improper validation of input length (CWE-1284), which can enable an authenticated user to cause a denial of service or corrupt existing data. The vulnerability has a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L), indicating medium severity with network accessibility, low attack complexity, and low impacts to integrity and availability but no confidentiality impact.

An authenticated user with low privileges (PR:L) can exploit this over the network without user interaction by supplying inputs that exceed expected lengths. Successful exploitation allows the attacker to trigger a denial of service, disrupting service availability, or corrupt existing data, potentially leading to integrity violations such as altered records or workflows in the Business Automation environment.

For mitigation details, refer to the IBM security bulletin at https://www.ibm.com/support/pages/node/7259318, which provides guidance on applying patches or workarounds for the affected versions.

Details

CWE(s): CWE-1284

Affected Products

ibm

cloud pak for business automation

24.0.0, 24.0.1, 25.0.0

CVEs Like This One

CVE-2025-36070Same vendor: Ibm

CVE-2025-1403Same vendor: Ibm

CVE-2025-36442Same vendor: Ibm

CVE-2025-3356Same vendor: Ibm

CVE-2026-1376Same vendor: Ibm

CVE-2025-36247Same vendor: Ibm

CVE-2025-12531Same vendor: Ibm

CVE-2025-13379Same vendor: Ibm

CVE-2024-56340Same vendor: Ibm

CVE-2024-43187Same vendor: Ibm

References

https://www.ibm.com/support/pages/node/7259318
Vendor Advisory · psirt@us.ibm.com