CVE-2025-0975

High

Published: 28 February 2025

Published

28 February 2025

Modified

03 July 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0014 33.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

IBM MQ 9.3 LTS, 9.3 CD, 9.4 LTS, and 9.4 CD console could allow an authenticated user to execute code due to improper neutralization of escape characters.

Security Summary

CVE-2025-0975 affects the console component of IBM MQ versions 9.3 LTS, 9.3 CD, 9.4 LTS, and 9.4 CD. The vulnerability stems from improper neutralization of escape characters (CWE-150), which could allow an authenticated user to execute code. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-02-28.

An authenticated user with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. Exploitation enables arbitrary code execution, resulting in high impacts to confidentiality, integrity, and availability on the affected system.

The IBM security advisory at https://www.ibm.com/support/pages/node/7183467 provides details on mitigation, including available patches.

Details

CWE(s): CWE-150

Affected Products

ibm

mq appliance

9.3.0 — 9.4.2 · 9.3.0.0 — 9.3.0.27 · 9.4.0.0 — 9.4.0.10

References

https://www.ibm.com/support/pages/node/7183467
Vendor Advisory · psirt@us.ibm.com