Cyber Resilience

CVE-2025-36253

Medium

Published: 02 February 2026

Published
02 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0001 1.6th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-36253 is a medium-severity Use of a One-Way Hash without a Salt (CWE-759) vulnerability in Ibm Concert. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 1.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SC-28 (Protection of Information at Rest).

Deeper analysis

CVE-2025-36253 is a vulnerability in IBM Concert versions 1.0.0 through 2.1.0, where the software uses weaker than expected cryptographic algorithms. This flaw, published on 2026-02-02, could allow an attacker to decrypt highly sensitive information and is associated with CWE-759. The issue carries a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating medium severity primarily due to high confidentiality impact.

A remote attacker with no privileges or user interaction required can exploit this vulnerability over the network, though it demands high attack complexity. Successful exploitation enables the attacker to achieve high-impact confidentiality loss by decrypting highly sensitive information, with no effects on integrity or availability.

The IBM security advisory provides details on mitigation and patches at https://www.ibm.com/support/pages/node/7257565.

EU & UK References

Vulnerability details

IBM Concert 1.0.0 through 2.1.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Weak crypto (CWE-759) directly enables decryption of sensitive data such as credentials.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-43178Same product: Ibm Concert
CVE-2025-33088Same product: Ibm Concert
CVE-2025-13219Same product: Linux Linux Kernel
CVE-2025-1719Same product: Ibm Concert
CVE-2024-57905Same product: Linux Linux Kernel
CVE-2024-41742Same product: Linux Linux Kernel
CVE-2025-13214Same product: Linux Linux Kernel
CVE-2025-13718Same product: Linux Linux Kernel
CVE-2024-41746Same product: Linux Linux Kernel
CVE-2024-51476Same product: Linux Linux Kernel

Affected Assets

ibm
concert
1.0.0 — 2.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires implementation of approved cryptographic algorithms and protections, preventing use of weak algorithms that enable decryption of sensitive data.

prevent

Enforces cryptographic protection for data in transit, mitigating the risk of decryption when weak algorithms are used over network paths.

prevent

Requires cryptographic protection of information at rest, addressing exposure of sensitive data when weak algorithms are employed for storage.

References