CVE-2025-36418
Published: 20 January 2026
Summary
CVE-2025-36418 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Ibm Applinx. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-23 (Session Authenticity).
Deeper analysis
CVE-2025-36418 is a privilege escalation vulnerability in IBM ApplinX 11.1 caused by improper verification of JSON Web Tokens (JWTs). This flaw, linked to CWE-347 (Invalid or Incorrect Use of Primary Channel), enables attackers to craft or modify JWTs for unauthorized access. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and low exploitation barriers.
An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows the attacker to impersonate another user or elevate their privileges, potentially leading to low-level impacts on confidentiality, integrity, and availability.
IBM has issued a security advisory detailing the issue at https://www.ibm.com/support/pages/node/7257446, which provides guidance on mitigation and patching.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3365
Vulnerability details
IBM ApplinX 11.1 is vulnerable due to a privilege escalation vulnerability due to improper verification of JWT tokens. An attacker may be able to craft or modify a JSON web token in order to impersonate another user or to elevate…
more
their privileges.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct JWT forgery enables privilege escalation via impersonation (T1068) and forging of web credentials (T1606).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access decisions by requiring correct JWT validation before granting user identity or privileges, blocking the crafted-token escalation path.
Mandates protection of session authenticity, which would require cryptographic verification of JWT signatures and claims to prevent tampering or impersonation.
Requires proper management and verification of authenticators (JWTs), ensuring token validation logic is implemented and cannot be bypassed.