Cyber Resilience

CVE-2025-36418

High

Published: 20 January 2026

Published
20 January 2026
Modified
26 January 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0015 4.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-36418 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Ibm Applinx. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-23 (Session Authenticity).

Deeper analysis

CVE-2025-36418 is a privilege escalation vulnerability in IBM ApplinX 11.1 caused by improper verification of JSON Web Tokens (JWTs). This flaw, linked to CWE-347 (Invalid or Incorrect Use of Primary Channel), enables attackers to craft or modify JWTs for unauthorized access. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and low exploitation barriers.

An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows the attacker to impersonate another user or elevate their privileges, potentially leading to low-level impacts on confidentiality, integrity, and availability.

IBM has issued a security advisory detailing the issue at https://www.ibm.com/support/pages/node/7257446, which provides guidance on mitigation and patching.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

IBM ApplinX 11.1 is vulnerable due to a privilege escalation vulnerability due to improper verification of JWT tokens. An attacker may be able to craft or modify a JSON web token in order to impersonate another user or to elevate…

more

their privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1606 Forge Web Credentials Credential Access
Adversaries may forge credential materials that can be used to gain access to web applications or Internet services.
Why these techniques?

Direct JWT forgery enables privilege escalation via impersonation (T1068) and forging of web credentials (T1606).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-36184Same vendor: Ibm
CVE-2026-3623Same vendor: Ibm
CVE-2024-49814Same vendor: Ibm
CVE-2025-14604Same vendor: Ibm
CVE-2026-8179Same vendor: Ibm
CVE-2026-2311Same vendor: Ibm
CVE-2026-6389Same vendor: Ibm
CVE-2024-55898Same vendor: Ibm
CVE-2024-22341Same vendor: Ibm
CVE-2026-3621Same vendor: Ibm

Affected Assets

ibm
applinx
11.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access decisions by requiring correct JWT validation before granting user identity or privileges, blocking the crafted-token escalation path.

prevent

Mandates protection of session authenticity, which would require cryptographic verification of JWT signatures and claims to prevent tampering or impersonation.

prevent

Requires proper management and verification of authenticators (JWTs), ensuring token validation logic is implemented and cannot be bypassed.

References