Cyber Resilience

CVE-2025-36363

Medium

Published: 03 March 2026

Published
03 March 2026
Modified
04 March 2026
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0006 18.4th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-36363 is a medium-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Ibm Devops Plan. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked at the 18.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and AC-2 (Account Management).

Deeper analysis

CVE-2025-36363 is a vulnerability in IBM DevOps Plan versions 3.0.0 through 3.0.5 stemming from an inadequate account lockout setting (CWE-307). This flaw enables a remote attacker to brute force account credentials due to insufficient protections against repeated login attempts. The issue carries a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating network accessibility, high attack complexity, no privileges required, no user interaction, unchanged scope, high confidentiality impact, and no integrity or availability impact.

A remote attacker without privileges can exploit this vulnerability by conducting brute force attacks against login credentials. Success grants unauthorized access to sensitive account data, potentially compromising confidentiality, though the high attack complexity limits feasibility for low-sophistication adversaries.

IBM has issued an advisory detailing mitigations at https://www.ibm.com/support/pages/node/7261934. Security practitioners should consult this page for patch information and recommended configurations to enforce proper account lockout mechanisms.

EU & UK References

Vulnerability details

IBM DevOps Plan 3.0.0 through 3.0.5 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
Why these techniques?

The vulnerability is a missing account lockout (CWE-307) that directly enables remote brute-force login attempts against credentials.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-51476Same vendor: Ibm
CVE-2024-9342Shared CWE-307
CVE-2026-24436Shared CWE-307
CVE-2026-32292Shared CWE-307
CVE-2026-27521Shared CWE-307
CVE-2025-58587Shared CWE-307
CVE-2025-3356Same vendor: Ibm
CVE-2025-0162Same vendor: Ibm
CVE-2025-12531Same vendor: Ibm
CVE-2025-36251Same vendor: Ibm

Affected Assets

ibm
devops plan
3.0.0 — 3.0.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces a limit on consecutive unsuccessful logon attempts and account lockout, eliminating the inadequate lockout setting that enables brute-force attacks in CVE-2025-36363.

prevent

Requires definition and management of account lockout parameters as part of account lifecycle controls, addressing the missing configuration that permits credential brute-forcing.

prevent

Enforces the technical policy that denies further authentication attempts after lockout thresholds, directly blocking the remote brute-force path described in the CVE.

References