CVE-2025-36386
Published: 28 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-36386 is an authentication bypass vulnerability affecting IBM Maximo Application Suite versions 9.0.0 through 9.0.15 and 9.1.0 through 9.1.4. It enables a remote attacker to circumvent authentication mechanisms and gain unauthorized access to the application. The vulnerability is associated with CWE-305 (Authentication Bypass Using an Alternate Path or Channel) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites.
A remote attacker requires no privileges, user interaction, or special conditions to exploit this vulnerability over the network. Successful exploitation allows the attacker to bypass authentication entirely, resulting in high-impact unauthorized access that compromises confidentiality, integrity, and availability of the affected application.
IBM has published an advisory detailing the issue and mitigation steps at https://www.ibm.com/support/pages/node/7249416. Security practitioners should consult this reference for specific patch information and remediation guidance applicable to the vulnerable versions.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is an authentication bypass in a public-facing web application (IBM Maximo Application Suite), directly enabling remote exploitation for unauthorized access without privileges, aligning with T1190: Exploit Public-Facing Application.