CVE-2025-36386
Published: 28 October 2025
Summary
CVE-2025-36386 is a critical-severity Authentication Bypass by Primary Weakness (CWE-305) vulnerability in Ibm Maximo Application Suite. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of flaws like this authentication bypass vulnerability through vendor patches.
Enforces approved authorizations for access to the application, directly countering unauthorized access gained via authentication bypass.
Mandates unique identification and authentication for organizational users, mitigating bypass of authentication mechanisms in IBM Maximo.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authentication bypass in a public-facing web application (IBM Maximo Application Suite), directly enabling remote exploitation for unauthorized access without privileges, aligning with T1190: Exploit Public-Facing Application.
NVD Description
IBM Maximo Application Suite 9.0.0 through 9.0.15 and 9.1.0 through 9.1.4 could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application.
Deeper analysisAI
CVE-2025-36386 is an authentication bypass vulnerability affecting IBM Maximo Application Suite versions 9.0.0 through 9.0.15 and 9.1.0 through 9.1.4. It enables a remote attacker to circumvent authentication mechanisms and gain unauthorized access to the application. The vulnerability is associated with CWE-305 (Authentication Bypass Using an Alternate Path or Channel) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites.
A remote attacker requires no privileges, user interaction, or special conditions to exploit this vulnerability over the network. Successful exploitation allows the attacker to bypass authentication entirely, resulting in high-impact unauthorized access that compromises confidentiality, integrity, and availability of the affected application.
IBM has published an advisory detailing the issue and mitigation steps at https://www.ibm.com/support/pages/node/7249416. Security practitioners should consult this reference for specific patch information and remediation guidance applicable to the vulnerable versions.
Details
- CWE(s)