CVE-2025-36057 is a medium-severity authentication bypass vulnerability affecting IBM Cognos Analytics Mobile for iOS versions 1.1.0 through 1.1.22. The root cause lies in the improper use of the Local Authentication Framework library within the application. Although the application does not utilize biometric authentication, it still incorporates this library, which introduces an alternate authentication path that can be exploited to bypass the intended authentication mechanisms. Specifically, this vulnerability is categorized under CWE-299, which refers to authentication bypass by using an alternate path or channel. An attacker with network-level access (as indicated by the CVSS vector AV:P) can exploit this flaw without requiring any privileges or user interaction, potentially gaining unauthorized access to the application’s functionality or data. The CVSS score of 5.2 reflects a moderate risk, with low impact on confidentiality but high impact on integrity, and no impact on availability. The vulnerability does not appear to have known exploits in the wild yet, and no patches have been linked at the time of publication. The issue arises from a design oversight where the Local Authentication Framework is included unnecessarily, creating an exploitable alternate authentication path that undermines the security model of the mobile application.

For European organizations using IBM Cognos Analytics Mobile on iOS devices, this vulnerability could lead to unauthorized access to sensitive business intelligence data and analytics dashboards. Since Cognos Analytics is often used for decision-making and reporting, an attacker exploiting this flaw could manipulate or alter reports, leading to misinformation and potential operational disruptions. The integrity impact is significant, as attackers can potentially alter data or analytics outputs without detection. Confidentiality impact is limited but present, as unauthorized users may gain access to restricted information. Availability is not affected. Given that the vulnerability requires network-level access but no authentication or user interaction, attackers could exploit it within corporate networks or through compromised devices connected to the same network. This risk is particularly relevant for organizations with mobile workforces or those that allow Bring Your Own Device (BYOD) policies, increasing the attack surface. The absence of biometric authentication in the app means the vulnerability stems from legacy or unnecessary code inclusion, highlighting a need for secure development lifecycle practices. Without timely mitigation, European enterprises relying on this mobile analytics tool may face data integrity risks and potential compliance issues under regulations like GDPR if unauthorized data access or manipulation occurs.

European organizations should immediately assess their deployment of IBM Cognos Analytics Mobile on iOS and identify affected versions (1.1.0 through 1.1.22). Until IBM releases an official patch, organizations should consider the following specific mitigations: 1) Restrict network access to the mobile application backend using network segmentation and firewall rules to limit exposure to trusted devices and users only. 2) Enforce strict mobile device management (MDM) policies to control which devices can install and run the vulnerable app versions, and consider disabling or uninstalling the app on devices where it is not essential. 3) Monitor application logs and network traffic for unusual authentication attempts or access patterns that could indicate exploitation attempts. 4) Engage with IBM support to obtain any interim fixes or guidance and plan for prompt patch deployment once available. 5) Review and harden authentication mechanisms at the backend, such as implementing additional multi-factor authentication (MFA) controls outside the mobile app to compensate for the app’s vulnerability. 6) Educate users about the risk and encourage reporting of suspicious behavior related to the app. These targeted actions go beyond generic advice by focusing on network-level controls, device management, and compensating controls to mitigate the specific alternate path authentication bypass.