Cyber Resilience

CVE-2025-36236

High

Published: 13 November 2025

Published
13 November 2025
Modified
19 November 2025
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
EPSS Score 0.0007 22.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-36236 is a high-severity Path Traversal (CWE-22) vulnerability in Ibm Vios. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-36236 is a directory traversal vulnerability (CWE-22) in the NIM server service, known as nimesis (formerly NIM master), affecting IBM AIX 7.2 and 7.3, as well as IBM VIOS 3.1 and 4.1. Published on 2025-11-13, the flaw allows a remote attacker to traverse directories on the system by sending a specially crafted URL request, enabling the writing of arbitrary files. It carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L), indicating high severity due to its network accessibility and lack of prerequisites.

An unauthenticated remote attacker with network access to the vulnerable NIM server can exploit this issue with low complexity and no user interaction required. Successful exploitation allows writing arbitrary files to the filesystem, which could lead to overwriting configuration files, injecting malicious code, or facilitating further attacks, resulting in high integrity impact and low availability impact with no direct confidentiality loss.

IBM has published a security advisory at https://www.ibm.com/support/pages/node/7251173 detailing the vulnerability, affected versions, and mitigation guidance, including available patches for remediation.

EU & UK References

Vulnerability details

IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 NIM server (formerly known as NIM master) service (nimesis) could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request…

more

to write arbitrary files on the system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a directory traversal in a network-accessible NIM server service exploitable via crafted URL requests by unauthenticated remote attackers to write arbitrary files, directly enabling T1190 (Exploit Public-Facing Application).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-36250Same product: Ibm Aix
CVE-2025-14914Same vendor: Ibm
CVE-2025-36251Same product: Ibm Aix
CVE-2026-3366Same vendor: Ibm
CVE-2024-56346Same product: Ibm Aix
CVE-2024-56347Same product: Ibm Aix
CVE-2025-3356Same vendor: Ibm
CVE-2024-45652Same vendor: Ibm
CVE-2023-49886Same vendor: Ibm
CVE-2024-39750Same vendor: Ibm

Affected Assets

ibm
vios
3.1.0, 4.1.0
ibm
aix
7.2, 7.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Applying vendor-provided patches directly remediates the directory traversal vulnerability in the nimesis service, preventing arbitrary file writes.

prevent

Validates specially crafted URL requests to detect and reject path traversal sequences, blocking the ability to write arbitrary files outside intended directories.

prevent

Enforces access control policies to restrict file write operations to authorized paths only, mitigating traversal attempts that bypass directory restrictions.

References