CVE-2025-36057 is a medium severity vulnerability affecting IBM Cognos Analytics Mobile for iOS versions 1.1.0 through 1.1.22. The vulnerability stems from an authentication bypass issue categorized under CWE-299 (Authentication Bypass Using an Alternate Path or Channel). Specifically, the application improperly utilizes the Local Authentication Framework library, which is unnecessary since the app does not implement biometric authentication. This misuse creates an alternate authentication path that attackers can exploit to bypass normal authentication controls without requiring user interaction or prior privileges. The CVSS 3.1 base score is 5.2, reflecting a vulnerability that can be exploited remotely (AV:P - physical access required), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact on confidentiality is low, but the integrity impact is high, as unauthorized users could potentially manipulate or alter sensitive analytics data or reports within the application. Availability is not affected. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is specific to the iOS mobile client of IBM Cognos Analytics, a business intelligence and analytics platform widely used for data reporting and decision-making.

For European organizations using IBM Cognos Analytics Mobile on iOS devices, this vulnerability poses a risk of unauthorized access to sensitive business intelligence data. Attackers exploiting this flaw could bypass authentication controls and gain access to internal analytics reports, potentially leading to data integrity compromises such as unauthorized data manipulation or report tampering. This could undermine decision-making processes, expose confidential business insights, and damage organizational reputation. Although the confidentiality impact is rated low, the high integrity impact means that trustworthiness of analytics data could be compromised. Since the vulnerability requires physical access to the device (per CVSS vector AV:P), the risk is higher in environments where devices are shared, lost, or stolen. The lack of user interaction and privileges required makes exploitation easier once physical access is obtained. European organizations in sectors relying heavily on data analytics—such as finance, manufacturing, and government—may face operational and compliance risks if this vulnerability is exploited.

Organizations should immediately assess their use of IBM Cognos Analytics Mobile on iOS devices and restrict physical access to these devices to trusted personnel only. Until an official patch is released by IBM, consider disabling or limiting the use of the mobile application on iOS devices, especially in high-risk environments. Implement device-level security controls such as strong passcodes, remote wipe capabilities, and mobile device management (MDM) solutions to prevent unauthorized physical access and enable rapid response if a device is lost or stolen. Monitor application and device logs for unusual access patterns indicative of authentication bypass attempts. Engage with IBM support to obtain updates on patch availability and apply security updates promptly once released. Additionally, review and reinforce backend access controls and data validation mechanisms to detect and prevent unauthorized data manipulation originating from compromised mobile clients.