CVE-2025-36250

CVE-2025-36250 is a critical vulnerability affecting the NIM server service, known as nimesis, in IBM AIX 7.2 and 7.3, as well as IBM VIOS 3.1 and 4.1. The flaw stems from improper process controls (CWE-114), enabling a remote attacker to execute arbitrary commands. This CVE addresses additional attack vectors related to a previously patched issue in CVE-2024-56346, with a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation grants arbitrary command execution on the affected NIM server (formerly NIM master), potentially leading to complete compromise of confidentiality, integrity, and availability due to the changed scope.

IBM has issued an advisory with details on the vulnerability and available patches at https://www.ibm.com/support/pages/node/7251173. Security practitioners should consult this page for mitigation guidance, including applying the recommended updates to affected AIX and VIOS systems.