IBM AIX users urged to patch immediately as researchers sound alarm on critical flaws
Network administrators should patch the four IBM AIX flaws as soon as possible
IBM has issued patches for four major flaws in IBM AIX and VIOS that allow a remote, unprivileged attacker to achieve arbitrary command execution on an exposed IBM Network Installation Manager (NIM).
The four vulnerabilities, tracked as CVE‑2025‑36250, CVE‑2025‑36251, CVE‑2025‑36236, and CVE‑2025‑36096, affect IBM AIX 7.2 and 7.3 as well as IBM VIOS 3.1 and 4.1 environments, with three of the four receiving a critical CVSS score.
All four flaws allow an attacker to 'hijack' unattended operating system installations and updates to deploy malicious payloads onto AIX hosts, move laterally, and persist in broader environments, according to an advisory from Mondoo.
“These four vulnerabilities on IBM AIX present a very serious threat because they allow a remote attacker with no privileges to perform arbitrary commands on an IBM Network Installation Manager (NIM) that’s exposed to the internet (which NIM servers typically are)," said Patrick Münch, Mondoo CSO.
"This means that they could 'hijack' unattended operating system installations and updates to deploy malicious payloads onto AIX hosts, move laterally, and persist in the broader environment."
How the IBM flaws work
CVE-2025-36250 carries a 10.0 CVSS score and affects the NIM service by allowing remote arbitrary command execution through improper process controls.
Researchers warned that an attacker could run commands of their choosing on the target AIX or VIOS system, gain full system control, install malware, create backdoors, move laterally and potentially pivot from the compromised system into other parts of the network.
Similarly, CVE‑2025‑36251 allows remote arbitrary command execution through improper process controls, affecting the SSL/TLS implementation in the NIM service.
With a critical CVSS score of 9.6, it could be used by a remote attacker to execute commands on the system, potentially without authentication. This could lead to a compromise of system integrity, data loss, or service disruption.
CVE‑2025‑36236, meanwhile, is a path-traversal vulnerability in the NIM service, allowing a remote attacker to send a specially crafted URL request to traverse directories or write arbitrary files on the system.
Researchers noted this could allow an attacker to drop malicious payloads in system directories, overwrite or inject into configuration files, or place web shells to facilitate further exploitation.
This particular flaw carries a CVSS score of 8.2, ranking it as high severity.
Finally, CVE‑2025‑36096 is a vulnerability in credential storage with a CVSS score of 9 (Critical). NIM private keys in IBM AIX are stored insecurely, meaning these can be accessed by an attacker via man-in-the-middle (MitM) techniques.
An attacker intercepting these communications or otherwise gaining access to the private keys could impersonate the NIM server or services or decrypt communications, which could result in system takeover.
Worst case scenarios
Researchers point out that, in combination, the four vulnerabilities could allow attackers to gain full access, impersonate services, move laterally, and persist or compromise broader network environments.
Moreover, the use of the operating system is widespread in critical industries, meaning the impact of a successful attack could be devastating.
"What makes this even more concerning is that IBM AIX is widely used in enterprise IT environments in critical sectors such as finance, insurance, retail, and healthcare, where high availability and security are essential," said Münch.
"Patch cycles are often delayed on IBM AIX because uptime is so critical for these enterprises. We haven’t seen any reports of active exploitation yet, but due to the high risk of these vulnerabilities, we strongly advise organizations to patch immediately.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Patch management: Why firms ignore vulnerabilities at their own risk
- Threat actors are exploiting flaws quicker than ever – here's what business leaders should do
- Everything you need to know about patch and vulnerability management
-
AWS CEO Matt Garman isn’t convinced AI spells the end of the software industryNews Software stocks have taken a beating in recent weeks, but AWS CEO Matt Garman has joined Nvidia's Jensen Huang and Databricks CEO Ali Ghodsi in pouring cold water on the AI-fueled hysteria.
-
Deepfake business risks are growingIn-depth As the risk of being targeted by deepfakes increases, what should businesses be looking out for?
-
CVEs are set to top 50,000 this year, marking a record high – here’s how CISOs and security teams can prepare for a looming onslaughtNews While the CVE figures might be daunting, they won't all be relevant to your organization
-
Microsoft patches six zero-days targeting Windows, Word, and more – here’s what you need to knowNews Patch Tuesday update targets large number of vulnerabilities already being used by attackers
-
Notepad++ hackers remained undetected and pushed malicious updates for six months – here’s who’s responsible, how they did it, and how to check if you’ve been affectedNews Hackers remained undetected for months and distributed malicious updates to Notepad++ users after breaching the text editor software – here's how to check if you've been affected.
-
CISA’s interim chief uploaded sensitive documents to a public version of ChatGPT – security experts explain why you should never do thatNews The incident at CISA raises yet more concerns about the rise of ‘shadow AI’ and data protection risks
-
Former Google engineer convicted of economic espionage after stealing thousands of secret AI, supercomputing documentsNews Linwei Ding told Chinese investors he could build a world-class supercomputer
-
90% of companies are woefully unprepared for quantum security threats – analysts say they need to get a move onNews Quantum security threats are coming, but a Bain & Company survey shows systems aren't yet in place to prevent widespread chaos
-
Experts welcome EU-led alternative to MITRE's vulnerability tracking schemeNews The EU-led framework will reduce reliance on US-based MITRE vulnerability reporting database
-
LastPass issues alert as customers targeted in new phishing campaignNews LastPass has urged customers to be on the alert for phishing emails amidst an ongoing scam campaign that encourages users to backup vaults.
