CVE-2025-36236
Published: 13 November 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-36236 is a directory traversal vulnerability (CWE-22) in the NIM server service, known as nimesis (formerly NIM master), affecting IBM AIX 7.2 and 7.3, as well as IBM VIOS 3.1 and 4.1. Published on 2025-11-13, the flaw allows a remote attacker to traverse directories on the system by sending a specially crafted URL request, enabling the writing of arbitrary files. It carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L), indicating high severity due to its network accessibility and lack of prerequisites.
An unauthenticated remote attacker with network access to the vulnerable NIM server can exploit this issue with low complexity and no user interaction required. Successful exploitation allows writing arbitrary files to the filesystem, which could lead to overwriting configuration files, injecting malicious code, or facilitating further attacks, resulting in high integrity impact and low availability impact with no direct confidentiality loss.
IBM has published a security advisory at https://www.ibm.com/support/pages/node/7251173 detailing the vulnerability, affected versions, and mitigation guidance, including available patches for remediation.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a directory traversal in a network-accessible NIM server service exploitable via crafted URL requests by unauthenticated remote attackers to write arbitrary files, directly enabling T1190 (Exploit Public-Facing Application).