Cyber Posture

CVE-2025-36251

Critical

Published: 13 November 2025

Published
13 November 2025
Modified
19 November 2025
KEV Added
Patch
CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
EPSS Score 0.0005 15.9th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-36251 is a critical-severity Process Control (CWE-114) vulnerability in Ibm Vios. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 15.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation of Remote Services (T1210) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the specific flaw in nimsh SSL/TLS process controls by applying vendor patches as recommended in IBM's advisory.

SC-39 Process Isolation good match
prevent

Enforces process isolation to counter improper process controls (CWE-114) that enable remote arbitrary command execution in the nimsh service.

CM-7 Least Functionality partial match
prevent

Minimizes attack surface by restricting the nimsh service to least functionality or disabling it if not essential, preventing exploitation vectors.

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Vulnerability in nimsh service enables remote exploitation (T1210) for arbitrary command execution on AIX/VIOS Unix systems (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 nimsh service SSL/TLS implementations could allow a remote attacker to execute arbitrary commands due to improper process controls. This addresses additional attack vectors for a vulnerability that was previously…

more

addressed in CVE-2024-56347.

Deeper analysisAI

CVE-2025-36251 is a high-severity vulnerability in the nimsh service SSL/TLS implementations on IBM AIX 7.2 and 7.3, as well as IBM VIOS 3.1 and 4.1. It arises from improper process controls (CWE-114), enabling a remote attacker to execute arbitrary commands. Published on 2025-11-13, this issue addresses additional attack vectors related to a vulnerability previously fixed in CVE-2024-56347. The CVSS v3.1 base score is 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L).

A remote attacker can exploit this over the network with low attack complexity and no privileges required, though user interaction is necessary. Upon successful exploitation, the attacker achieves high confidentiality and integrity impacts, such as accessing sensitive data or modifying system behavior through arbitrary command execution, alongside low availability impact and a crossed scope that affects additional privileges or components.

IBM's security advisory at https://www.ibm.com/support/pages/node/7251173 details the vulnerability, affected versions, and recommended mitigation steps, including available patches.

Details

CWE(s)
CWE-114

Affected Products

ibm
vios
3.1.0, 4.1.0
ibm
aix
7.2, 7.3

CVEs Like This One

CVE-2025-36250Same product: Ibm Aix
CVE-2024-56347Same product: Ibm Aix
CVE-2024-56346Same product: Ibm Aix
CVE-2025-36236Same product: Ibm Aix
CVE-2025-0160Same vendor: Ibm
CVE-2025-13688Same vendor: Ibm
CVE-2025-13686Same vendor: Ibm
CVE-2025-13687Same vendor: Ibm
CVE-2025-36247Same vendor: Ibm
CVE-2024-56340Same vendor: Ibm

References