CVE-2025-36253
Published: 02 February 2026
Summary
CVE-2025-36253 is a medium-severity Use of a One-Way Hash without a Salt (CWE-759) vulnerability in Ibm Concert. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 1.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SC-28 (Protection of Information at Rest).
Deeper analysis
CVE-2025-36253 is a vulnerability in IBM Concert versions 1.0.0 through 2.1.0, where the software uses weaker than expected cryptographic algorithms. This flaw, published on 2026-02-02, could allow an attacker to decrypt highly sensitive information and is associated with CWE-759. The issue carries a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating medium severity primarily due to high confidentiality impact.
A remote attacker with no privileges or user interaction required can exploit this vulnerability over the network, though it demands high attack complexity. Successful exploitation enables the attacker to achieve high-impact confidentiality loss by decrypting highly sensitive information, with no effects on integrity or availability.
The IBM security advisory provides details on mitigation and patches at https://www.ibm.com/support/pages/node/7257565.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206789
Vulnerability details
IBM Concert 1.0.0 through 2.1.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Weak crypto (CWE-759) directly enables decryption of sensitive data such as credentials.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires implementation of approved cryptographic algorithms and protections, preventing use of weak algorithms that enable decryption of sensitive data.
Enforces cryptographic protection for data in transit, mitigating the risk of decryption when weak algorithms are used over network paths.
Requires cryptographic protection of information at rest, addressing exposure of sensitive data when weak algorithms are employed for storage.