Skip to main content

CVE-2025-36023: CWE-639 Authorization Bypass Through User-Controlled Key in IBM Cloud Pak for Business Automation

Medium
VulnerabilityCVE-2025-36023cvecve-2025-36023cwe-639
Published: Fri Aug 08 2025 (08/08/2025, 14:51:12 UTC)
Source: CVE Database V5
Vendor/Project: IBM
Product: Cloud Pak for Business Automation

Description

IBM Cloud Pak for Business Automation 24.0.0 through 24.0.0 IF005 and 24.0.1 through 24.0.1 IF002 could allow an authenticated user to view sensitive user and system information due to an indirect object reference through a user-controlled key.

AI-Powered Analysis

AILast updated: 08/08/2025, 15:17:51 UTC

Technical Analysis

CVE-2025-36023 is a medium-severity vulnerability affecting IBM Cloud Pak for Business Automation versions 24.0.0 through 24.0.0 IF005 and 24.0.1 through 24.0.1 IF002. The vulnerability is categorized under CWE-639, which relates to authorization bypass through user-controlled keys. Specifically, an authenticated user can exploit an indirect object reference flaw by manipulating a user-controlled key to access sensitive user and system information that should otherwise be restricted. This vulnerability does not require user interaction beyond authentication, and the attack vector is network-based, meaning an attacker can exploit it remotely once authenticated. The CVSS v3.1 score of 6.5 reflects a medium severity, primarily due to the high confidentiality impact (unauthorized disclosure of sensitive data) but no impact on integrity or availability. The scope is unchanged, indicating the vulnerability affects only the vulnerable component without extending to other components. No known exploits are currently reported in the wild, and IBM has not yet published patch links, suggesting remediation may be pending or in progress. The vulnerability highlights an authorization bypass via improper validation of user-controlled keys, which can lead to unauthorized data exposure within the IBM Cloud Pak for Business Automation environment.

Potential Impact

For European organizations using IBM Cloud Pak for Business Automation, this vulnerability poses a significant risk to confidentiality. Sensitive user and system information exposure could lead to further targeted attacks, data leakage, or compliance violations, especially under strict data protection regulations such as GDPR. Since the vulnerability requires authentication, the threat is primarily from malicious insiders or compromised legitimate accounts. However, given the network attack vector, attackers who gain valid credentials could remotely exploit this flaw without additional user interaction. The exposure of sensitive information could undermine trust, cause operational disruptions, and potentially lead to regulatory penalties. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that rely on IBM Cloud Pak for Business Automation for business process automation and workflow management are particularly at risk. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability details become widely known.

Mitigation Recommendations

European organizations should prioritize the following mitigation steps: 1) Immediately review and restrict access controls within IBM Cloud Pak for Business Automation to limit authenticated user privileges to the minimum necessary. 2) Monitor and audit user activities to detect anomalous access patterns or attempts to access unauthorized data. 3) Apply IBM-provided patches or interim fixes as soon as they become available; in the absence of patches, consider deploying compensating controls such as network segmentation and enhanced authentication mechanisms (e.g., multi-factor authentication) to reduce risk. 4) Conduct thorough security assessments and penetration testing focused on authorization mechanisms within the affected versions. 5) Educate users and administrators about the risks of credential compromise and enforce strong password policies. 6) Implement logging and alerting for indirect object reference access attempts to enable rapid incident response. 7) Engage with IBM support for guidance and updates on remediation timelines. These steps go beyond generic advice by focusing on access control tightening, monitoring, and compensating controls tailored to the nature of the vulnerability.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
ibm
Date Reserved
2025-04-15T21:16:08.835Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68961198ad5a09ad0004c7f2

Added to database: 8/8/2025, 3:02:48 PM

Last enriched: 8/8/2025, 3:17:51 PM

Last updated: 8/15/2025, 12:44:25 PM

Views: 19

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats