IBM AIX users urged to patch immediately as researchers sound alarm on critical flaws
Network administrators should patch the four IBM AIX flaws as soon as possible
IBM has issued patches for four major flaws in IBM AIX and VIOS that allow a remote, unprivileged attacker to achieve arbitrary command execution on an exposed IBM Network Installation Manager (NIM).
The four vulnerabilities, tracked as CVE‑2025‑36250, CVE‑2025‑36251, CVE‑2025‑36236, and CVE‑2025‑36096, affect IBM AIX 7.2 and 7.3 as well as IBM VIOS 3.1 and 4.1 environments, with three of the four receiving a critical CVSS score.
All four flaws allow an attacker to 'hijack' unattended operating system installations and updates to deploy malicious payloads onto AIX hosts, move laterally, and persist in broader environments, according to an advisory from Mondoo.
“These four vulnerabilities on IBM AIX present a very serious threat because they allow a remote attacker with no privileges to perform arbitrary commands on an IBM Network Installation Manager (NIM) that’s exposed to the internet (which NIM servers typically are)," said Patrick Münch, Mondoo CSO.
"This means that they could 'hijack' unattended operating system installations and updates to deploy malicious payloads onto AIX hosts, move laterally, and persist in the broader environment."
How the IBM flaws work
CVE-2025-36250 carries a 10.0 CVSS score and affects the NIM service by allowing remote arbitrary command execution through improper process controls.
Researchers warned that an attacker could run commands of their choosing on the target AIX or VIOS system, gain full system control, install malware, create backdoors, move laterally and potentially pivot from the compromised system into other parts of the network.
Similarly, CVE‑2025‑36251 allows remote arbitrary command execution through improper process controls, affecting the SSL/TLS implementation in the NIM service.
With a critical CVSS score of 9.6, it could be used by a remote attacker to execute commands on the system, potentially without authentication. This could lead to a compromise of system integrity, data loss, or service disruption.
CVE‑2025‑36236, meanwhile, is a path-traversal vulnerability in the NIM service, allowing a remote attacker to send a specially crafted URL request to traverse directories or write arbitrary files on the system.
Researchers noted this could allow an attacker to drop malicious payloads in system directories, overwrite or inject into configuration files, or place web shells to facilitate further exploitation.
This particular flaw carries a CVSS score of 8.2, ranking it as high severity.
Finally, CVE‑2025‑36096 is a vulnerability in credential storage with a CVSS score of 9 (Critical). NIM private keys in IBM AIX are stored insecurely, meaning these can be accessed by an attacker via man-in-the-middle (MitM) techniques.
An attacker intercepting these communications or otherwise gaining access to the private keys could impersonate the NIM server or services or decrypt communications, which could result in system takeover.
Worst case scenarios
Researchers point out that, in combination, the four vulnerabilities could allow attackers to gain full access, impersonate services, move laterally, and persist or compromise broader network environments.
Moreover, the use of the operating system is widespread in critical industries, meaning the impact of a successful attack could be devastating.
"What makes this even more concerning is that IBM AIX is widely used in enterprise IT environments in critical sectors such as finance, insurance, retail, and healthcare, where high availability and security are essential," said Münch.
"Patch cycles are often delayed on IBM AIX because uptime is so critical for these enterprises. We haven’t seen any reports of active exploitation yet, but due to the high risk of these vulnerabilities, we strongly advise organizations to patch immediately.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Patch management: Why firms ignore vulnerabilities at their own risk
- Threat actors are exploiting flaws quicker than ever – here's what business leaders should do
- Everything you need to know about patch and vulnerability management
-
78% of UK manufacturers have experienced a cyber incident in the last yearNews Last year's attack on Jaguar Land Rover shows the costs can be very significant indeed
-
Claude Code creator confirms cause of massive source code leakNews Over half a million lines of Claude Code source code was leaked, with the company attributing the blunder to human error
-
Ubuntu vulnerability exposes enterprises to root escalation, complete system compromiseNews The high-severity Ubuntu vulnerability allows an unprivileged local attacker to escalate privileges through the interaction of two standard system components
-
Security agencies issue warning over critical Cisco Catalyst SD-WAN vulnerabilityNews Threat actors have been exploiting the vulnerability to achieve root access since 2023
-
Using AI to generate passwords is a terrible idea, experts warnNews Researchers have warned the use of AI-generated passwords puts users and businesses at risk
-
Millions of developers could be impacted by flaws in Visual Studio Code extensions – here's what you need to know and how to protect yourselfNews The VS Code vulnerabilities highlight broader IDE security risks, said OX Security
-
Researchers called on LastPass, Dashlane, and Bitwarden to up defenses after severe flaws put 60 million users at risk – here’s how each company respondedNews Analysts at ETH Zurich called for cryptographic standard improvements after a host of password managers were found lacking
-
‘They are able to move fast now’: AI is expanding attack surfaces – and hackers are looking to reap the same rewards as enterprises with the technologyNews Potent new malware strains, faster attack times, and the rise of shadow AI are causing havoc
-
Ransomware gangs are using employee monitoring software as a springboard for cyber attacksNews Two attempted attacks aimed to exploit Net Monitor for Employees Professional and SimpleHelp
-
CVEs are set to top 50,000 this year, marking a record high – here’s how CISOs and security teams can prepare for a looming onslaughtNews While the CVE figures might be daunting, they won't all be relevant to your organization
