IBM has issued patches for four major flaws in IBM AIX and VIOS that allow a remote, unprivileged attacker to achieve arbitrary command execution on an exposed IBM Network Installation Manager (NIM).
The four vulnerabilities, tracked as CVE‑2025‑36250, CVE‑2025‑36251, CVE‑2025‑36236, and CVE‑2025‑36096, affect IBM AIX 7.2 and 7.3 as well as IBM VIOS 3.1 and 4.1 environments, with three of the four receiving a critical CVSS score.
All four flaws allow an attacker to 'hijack' unattended operating system installations and updates to deploy malicious payloads onto AIX hosts, move laterally, and persist in broader environments, according to an advisory from Mondoo.
“These four vulnerabilities on IBM AIX present a very serious threat because they allow a remote attacker with no privileges to perform arbitrary commands on an IBM Network Installation Manager (NIM) that’s exposed to the internet (which NIM servers typically are)," said Patrick Münch, Mondoo CSO.
"This means that they could 'hijack' unattended operating system installations and updates to deploy malicious payloads onto AIX hosts, move laterally, and persist in the broader environment."
How the IBM flaws work
CVE-2025-36250 carries a 10.0 CVSS score and affects the NIM service by allowing remote arbitrary command execution through improper process controls.
Researchers warned that an attacker could run commands of their choosing on the target AIX or VIOS system, gain full system control, install malware, create backdoors, move laterally and potentially pivot from the compromised system into other parts of the network.
Similarly, CVE‑2025‑36251 allows remote arbitrary command execution through improper process controls, affecting the SSL/TLS implementation in the NIM service.
With a critical CVSS score of 9.6, it could be used by a remote attacker to execute commands on the system, potentially without authentication. This could lead to a compromise of system integrity, data loss, or service disruption.
CVE‑2025‑36236, meanwhile, is a path-traversal vulnerability in the NIM service, allowing a remote attacker to send a specially crafted URL request to traverse directories or write arbitrary files on the system.
Researchers noted this could allow an attacker to drop malicious payloads in system directories, overwrite or inject into configuration files, or place web shells to facilitate further exploitation.
This particular flaw carries a CVSS score of 8.2, ranking it as high severity.
Finally, CVE‑2025‑36096 is a vulnerability in credential storage with a CVSS score of 9 (Critical). NIM private keys in IBM AIX are stored insecurely, meaning these can be accessed by an attacker via man-in-the-middle (MitM) techniques.
An attacker intercepting these communications or otherwise gaining access to the private keys could impersonate the NIM server or services or decrypt communications, which could result in system takeover.
Worst case scenarios
Researchers point out that, in combination, the four vulnerabilities could allow attackers to gain full access, impersonate services, move laterally, and persist or compromise broader network environments.
Moreover, the use of the operating system is widespread in critical industries, meaning the impact of a successful attack could be devastating.
"What makes this even more concerning is that IBM AIX is widely used in enterprise IT environments in critical sectors such as finance, insurance, retail, and healthcare, where high availability and security are essential," said Münch.
"Patch cycles are often delayed on IBM AIX because uptime is so critical for these enterprises. We haven’t seen any reports of active exploitation yet, but due to the high risk of these vulnerabilities, we strongly advise organizations to patch immediately.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Patch management: Why firms ignore vulnerabilities at their own risk
- Threat actors are exploiting flaws quicker than ever – here's what business leaders should do
- Everything you need to know about patch and vulnerability management
-
Hounslow Council partners with Amazon Web Services (AWS) to build resilience and transition away from legacy techSpomsored One of the most diverse and fastest-growing boroughs in London has completed a massive cloud migration project. Supported by AWS, it was able to work through any challenges
-
Salesforce targets better data, simpler licensing to spur Agentforce adoptionNews The combination of Agentforce 360, Data 360, and Informatica is more context for enterprise AI than ever before
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up callNews CrowdStrike has admitted an insider took screenshots of systems and shared them with hackers, and experts say it should serve as a wake up call for enterprises globally.
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
Thousands of ASUS routers are being hijacked in a state-sponsored cyber espionage campaignNews Researchers believe that Operation WrtHug is being carried out by Chinese state-sponsored hackers
-
Logitech says zero-day attack saw hackers copy 'certain data' from internal IT systemsNews The incident is believed to have formed part of a campaign by the Clop extortion group that targeted customers of Oracle’s E-Business Suite
