CRITICAL🇵🇱 Wersja polska

CVE-2025-36250

CVSS 10.0v3.1pub. 2025-11-13upd. 2025-11-19

IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 NIM server (formerly known as NIM master) service (nimesis) could allow a remote attacker to execute arbitrary commands due to improper process controls.  This addresses additional attack vectors for a vulnerability that was previously addressed in CVE-2024-56346.

🤖 AI Analysis
How it works

The vulnerability results from improper process control (CWE-114) in the NIM server service (formerly known as NIM master), running under the process name nimesis. A remote attacker, without the need for authentication and without user interaction, can send a specially crafted network request, which results in the execution of arbitrary commands in the service context. CVE-2025-36250 addresses additional attack vectors for a vulnerability that was already partially patched as part of CVE-2024-56346, meaning that the previous patch did not fully eliminate the issue.

Impact

An attacker can remotely execute arbitrary system commands without authentication, which in practice means the possibility of taking full control of the NIM server, violating data confidentiality and integrity, and causing system unavailability.

Mitigation & patch

Apply patches available from the vendor in accordance with references published at https://www.ibm.com/support/pages/node/7251173. Additionally, until the patch is implemented, it is recommended to restrict network access to the nimesis service only to trusted hosts using a firewall or ACL rules at the network level.

Who is affected

IBM AIX 7.2 and 7.3, IBM VIOS 3.1 and 4.1 — systems running the NIM server service (nimesis)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • IBM Aix

    OS
    Ibm
    7.27.3
  • IBM Vios

    APP
    Ibm
    3.1.04.1.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-36096CRITICAL9.0PL ✓ten sam produkt

IBM AIX/VIOS: Niebezpieczne przechowywanie kluczy prywatnych NIM

CVE-2025-36251CRITICAL9.6PL ✓ten sam produkt

IBM AIX / VIOS nimsh — RCE przez wadliwą implementację SSL/TLS

CVE-2025-36038CRITICAL9.0PL ✓ten sam produkt

RCE w IBM WebSphere Application Server przez niebezpieczną deserializację

CVE-2024-56346CRITICAL10.0PL ✓ten sam produkt

IBM AIX: RCE w usłudze nimesis NIM master (CVSS 10.0)

CVE-2024-56347CRITICAL9.6PL ✓ten sam produkt

IBM AIX: RCE przez błędne mechanizmy kontroli procesów w usłudze nimsh (SSL/TLS)