CVE-2025-64647

Medium

Published: 25 March 2026

Published

25 March 2026

Modified

26 March 2026

KEV Added

—

Patch

—

CVSS Score 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0001 1.2th percentile

Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64647 is a medium-severity Use of a Cryptographic Primitive with a Risky Implementation (CWE-1240) vulnerability in Ibm Concert. Its CVSS base score is 5.9 (Medium).

Operationally, ranked at the 1.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-7 (Cryptographic Module Authentication) and SC-13 (Cryptographic Protection).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-13 Cryptographic Protection good match

prevent

SC-13 mandates the implementation of organization-defined cryptographic mechanisms compliant with standards, directly preventing the use of weaker cryptographic algorithms that enable decryption of sensitive information.

IA-7 Cryptographic Module Authentication good match

prevent

IA-7 requires authentication of cryptographic modules to ensure only validated modules using strong, compliant algorithms are employed, mitigating the risk of weak cryptography in IBM Concert.

SC-12 Cryptographic Key Establishment and Management partial match

prevent

SC-12 enforces cryptographic key establishment and management using approved mechanisms of equivalent strength, addressing aspects of weak algorithms used in decryption processes.

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.

Confidence: LOW · MITRE ATT&CK Enterprise v18.1

NVD Description

IBM Concert 1.0.0 through 2.2.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information

Deeper analysisAI

CVE-2025-64647 is a vulnerability in IBM Concert versions 1.0.0 through 2.2.0, where the software uses weaker than expected cryptographic algorithms. This flaw, tagged under CWE-1240, could enable an attacker to decrypt highly sensitive information. The issue received a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) and was published on 2026-03-25.

A remote attacker requires no privileges or user interaction to target systems over the network, but exploitation demands high attack complexity. If successful, the attacker achieves high-impact confidentiality loss by decrypting sensitive data, with no impact on integrity or availability.

IBM provides mitigation details in its security advisory at https://www.ibm.com/support/pages/node/7267105.

Details

CWE(s): CWE-1240

Affected Products

ibm

concert

1.0.0 — 2.2.0

CVEs Like This One

CVE-2024-49354Same product: Ibm Concert

CVE-2025-1719Same product: Ibm Concert

CVE-2025-1722Same product: Ibm Concert

CVE-2025-33089Same product: Ibm Concert

CVE-2025-33015Same product: Ibm Concert

CVE-2024-52367Same product: Ibm Concert

CVE-2024-43178Same product: Ibm Concert

CVE-2025-36253Same product: Ibm Concert

CVE-2025-33088Same product: Ibm Concert

CVE-2024-56340Same vendor: Ibm

References

https://www.ibm.com/support/pages/node/7267105
Vendor Advisory · psirt@us.ibm.com