CVE-2025-36253
Published: 02 February 2026
Summary
CVE-2025-36253 is a medium-severity Use of a One-Way Hash without a Salt (CWE-759) vulnerability in Ibm Concert. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 1.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security associations provide guidance on proper one-way hash usage including salting, reducing the chance of unsalted implementations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Weak crypto (CWE-759) directly enables decryption of sensitive data such as credentials.
NVD Description
IBM Concert 1.0.0 through 2.1.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
Deeper analysisAI
CVE-2025-36253 is a vulnerability in IBM Concert versions 1.0.0 through 2.1.0, where the software uses weaker than expected cryptographic algorithms. This flaw, published on 2026-02-02, could allow an attacker to decrypt highly sensitive information and is associated with CWE-759. The issue carries a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating medium severity primarily due to high confidentiality impact.
A remote attacker with no privileges or user interaction required can exploit this vulnerability over the network, though it demands high attack complexity. Successful exploitation enables the attacker to achieve high-impact confidentiality loss by decrypting highly sensitive information, with no effects on integrity or availability.
The IBM security advisory provides details on mitigation and patches at https://www.ibm.com/support/pages/node/7257565.
Details
- CWE(s)