CVE-2025-36251

CVE-2025-36251 is a high-severity vulnerability in the nimsh service SSL/TLS implementations on IBM AIX 7.2 and 7.3, as well as IBM VIOS 3.1 and 4.1. It arises from improper process controls (CWE-114), enabling a remote attacker to execute arbitrary commands. Published on 2025-11-13, this issue addresses additional attack vectors related to a vulnerability previously fixed in CVE-2024-56347. The CVSS v3.1 base score is 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L).

A remote attacker can exploit this over the network with low attack complexity and no privileges required, though user interaction is necessary. Upon successful exploitation, the attacker achieves high confidentiality and integrity impacts, such as accessing sensitive data or modifying system behavior through arbitrary command execution, alongside low availability impact and a crossed scope that affects additional privileges or components.

IBM's security advisory at https://www.ibm.com/support/pages/node/7251173 details the vulnerability, affected versions, and recommended mitigation steps, including available patches.