CVE-2025-36058 is a vulnerability classified under CWE-538, which involves the insertion of sensitive information into files or directories that are externally accessible. Specifically, IBM Business Automation Workflow containers versions 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006 are affected. The vulnerability arises because sensitive configuration information is stored in a config map that is accessible outside the container environment. This exposure can lead to unauthorized disclosure of confidential data, such as credentials or internal configuration details, which could be leveraged for further attacks. The CVSS v3.1 score is 5.5 (medium severity), with an attack vector of local (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), and impacting confidentiality only (C:H, I:N, A:N). The scope remains unchanged (S:U). There are no known exploits in the wild at this time. The vulnerability affects IBM Cloud Pak for Business Automation and IBM Business Automation Workflow containers, which are used to automate business processes and workflows in enterprise environments. The exposure of sensitive configuration data could facilitate lateral movement or privilege escalation if an attacker gains local access. The issue is particularly relevant in containerized deployments where config maps are commonly used to manage configuration data, and improper access controls can lead to data leakage.

For European organizations, the disclosure of sensitive configuration information could lead to significant confidentiality breaches, especially in sectors like finance, manufacturing, and public administration where IBM Business Automation Workflow is deployed. Exposure of credentials or internal configuration details could enable attackers to pivot within networks, escalate privileges, or disrupt automated workflows indirectly. This could result in regulatory compliance violations under GDPR due to unauthorized data exposure. The impact is primarily on confidentiality, with no direct effect on system integrity or availability. However, the indirect consequences of leaked sensitive data could be severe, including reputational damage and operational disruptions. Organizations relying heavily on IBM automation solutions for critical business processes may face increased risk if this vulnerability is exploited. The requirement for local access and low privileges somewhat limits the attack surface but does not eliminate risk, especially in environments with multiple users or insufficient access controls.

1. Restrict access to config maps and container orchestration management interfaces to trusted administrators only, using role-based access controls (RBAC) and network segmentation. 2. Monitor and audit access logs for config maps and container configurations to detect unauthorized access attempts. 3. Apply vendor patches or interim fixes as soon as they become available from IBM to remediate the vulnerability. 4. Review and harden container deployment configurations to ensure sensitive information is not exposed unnecessarily, including using secrets management solutions instead of config maps for sensitive data. 5. Implement strict local user access controls and minimize the number of users with local access to container hosts. 6. Conduct regular security assessments and penetration testing focused on container environments to identify potential misconfigurations. 7. Educate operational teams about the risks of exposing sensitive configuration data and best practices for container security.