IBM AIX users urged to patch immediately as researchers sound alarm on critical flaws
Network administrators should patch the four IBM AIX flaws as soon as possible
IBM has issued patches for four major flaws in IBM AIX and VIOS that allow a remote, unprivileged attacker to achieve arbitrary command execution on an exposed IBM Network Installation Manager (NIM).
The four vulnerabilities, tracked as CVE‑2025‑36250, CVE‑2025‑36251, CVE‑2025‑36236, and CVE‑2025‑36096, affect IBM AIX 7.2 and 7.3 as well as IBM VIOS 3.1 and 4.1 environments, with three of the four receiving a critical CVSS score.
All four flaws allow an attacker to 'hijack' unattended operating system installations and updates to deploy malicious payloads onto AIX hosts, move laterally, and persist in broader environments, according to an advisory from Mondoo.
Stay ahead of cyber risks with the NordStellar threat intelligence platform.
Black Friday offer! Illuminate the dark web with the code BLACKFRIDAY20 and get 20% off
“These four vulnerabilities on IBM AIX present a very serious threat because they allow a remote attacker with no privileges to perform arbitrary commands on an IBM Network Installation Manager (NIM) that’s exposed to the internet (which NIM servers typically are)," said Patrick Münch, Mondoo CSO.
"This means that they could 'hijack' unattended operating system installations and updates to deploy malicious payloads onto AIX hosts, move laterally, and persist in the broader environment."
How the IBM flaws work
CVE-2025-36250 carries a 10.0 CVSS score and affects the NIM service by allowing remote arbitrary command execution through improper process controls.
Researchers warned that an attacker could run commands of their choosing on the target AIX or VIOS system, gain full system control, install malware, create backdoors, move laterally and potentially pivot from the compromised system into other parts of the network.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
Similarly, CVE‑2025‑36251 allows remote arbitrary command execution through improper process controls, affecting the SSL/TLS implementation in the NIM service.
With a critical CVSS score of 9.6, it could be used by a remote attacker to execute commands on the system, potentially without authentication. This could lead to a compromise of system integrity, data loss, or service disruption.
CVE‑2025‑36236, meanwhile, is a path-traversal vulnerability in the NIM service, allowing a remote attacker to send a specially crafted URL request to traverse directories or write arbitrary files on the system.
Researchers noted this could allow an attacker to drop malicious payloads in system directories, overwrite or inject into configuration files, or place web shells to facilitate further exploitation.
This particular flaw carries a CVSS score of 8.2, ranking it as high severity.
Finally, CVE‑2025‑36096 is a vulnerability in credential storage with a CVSS score of 9 (Critical). NIM private keys in IBM AIX are stored insecurely, meaning these can be accessed by an attacker via man-in-the-middle (MitM) techniques.
An attacker intercepting these communications or otherwise gaining access to the private keys could impersonate the NIM server or services or decrypt communications, which could result in system takeover.
Worst case scenarios
Researchers point out that, in combination, the four vulnerabilities could allow attackers to gain full access, impersonate services, move laterally, and persist or compromise broader network environments.
Moreover, the use of the operating system is widespread in critical industries, meaning the impact of a successful attack could be devastating.
"What makes this even more concerning is that IBM AIX is widely used in enterprise IT environments in critical sectors such as finance, insurance, retail, and healthcare, where high availability and security are essential," said Münch.
"Patch cycles are often delayed on IBM AIX because uptime is so critical for these enterprises. We haven’t seen any reports of active exploitation yet, but due to the high risk of these vulnerabilities, we strongly advise organizations to patch immediately.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Patch management: Why firms ignore vulnerabilities at their own risk
- Threat actors are exploiting flaws quicker than ever – here's what business leaders should do
- Everything you need to know about patch and vulnerability management
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
AWS hits back at EU cloud 'gatekeeper' designation hintsNews Gatekeeper designation under the legislation would force AWS and Microsoft to make concessions
-
Is the Top500 meaningless? Not so, says US national laboratory CTOIn-depth LINPACK may measure only one process, but there are real and meaningful use cases for exascale systems
-
‘Traditional patching cannot keep pace’: Palo Alto Networks joins IBM’s Project Lightwell in bid to shore up software securityNews With traditional patching no longer able to keep pace with threats, the trio aims to create an automated "shield-and-fix" architecture
-
OpenAI expands 'Daybreak' cyber program: New tools, partnerships, and a cyber-focused GPT-5.5 aim to help 'patch the world'News The company has added new tools, signed up partners, and released its GPT-5.5-Cyber model more widely
-
AI is shrinking attack windows, and it’s forcing a complete rethink of cyber resilience – here’s how organizations can prepareNews Commvault has urged companies to improve their business continuity and resilience plans in the face of flaws spotted by AI
-
Anthropic targets vulnerability detection gains with Claude Security public beta — here's what users can expectNews The Claude Mythos developer is aiming for a more limited approach to cyber tooling for public consumption
-
Researchers warn millions of RDP and VNC servers are wide open to exploitationNews Researchers at Forescout spotted millions of RDP and VNC servers exposed online
-
Brace yourselves for a vulnerability explosion, Forescout warnsNews AI advances are helping identify software flaws at record pace and scale, but that's not the good news some would think
-
Ubuntu vulnerability exposes enterprises to root escalation, complete system compromiseNews The high-severity Ubuntu vulnerability allows an unprivileged local attacker to escalate privileges through the interaction of two standard system components
-
Security agencies issue warning over critical Cisco Catalyst SD-WAN vulnerabilityNews Threat actors have been exploiting the vulnerability to achieve root access since 2023

