CVE-2025-36363
Published: 03 March 2026
Summary
CVE-2025-36363 is a medium-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Ibm Devops Plan. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked at the 18.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and AC-2 (Account Management).
Deeper analysis
CVE-2025-36363 is a vulnerability in IBM DevOps Plan versions 3.0.0 through 3.0.5 stemming from an inadequate account lockout setting (CWE-307). This flaw enables a remote attacker to brute force account credentials due to insufficient protections against repeated login attempts. The issue carries a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating network accessibility, high attack complexity, no privileges required, no user interaction, unchanged scope, high confidentiality impact, and no integrity or availability impact.
A remote attacker without privileges can exploit this vulnerability by conducting brute force attacks against login credentials. Success grants unauthorized access to sensitive account data, potentially compromising confidentiality, though the high attack complexity limits feasibility for low-sophistication adversaries.
IBM has issued an advisory detailing mitigations at https://www.ibm.com/support/pages/node/7261934. Security practitioners should consult this page for patch information and recommended configurations to enforce proper account lockout mechanisms.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208254
Vulnerability details
IBM DevOps Plan 3.0.0 through 3.0.5 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a missing account lockout (CWE-307) that directly enables remote brute-force login attempts against credentials.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces a limit on consecutive unsuccessful logon attempts and account lockout, eliminating the inadequate lockout setting that enables brute-force attacks in CVE-2025-36363.
Requires definition and management of account lockout parameters as part of account lifecycle controls, addressing the missing configuration that permits credential brute-forcing.
Enforces the technical policy that denies further authentication attempts after lockout thresholds, directly blocking the remote brute-force path described in the CVE.