CVE-2025-36062 identifies a vulnerability in IBM Cognos Analytics Mobile for iOS versions 1.1.0 through 1.1.22, where sensitive data is transmitted over unencrypted network traffic. This vulnerability is classified under CWE-311, which refers to the missing encryption of sensitive data. The core issue is that the mobile application fails to properly secure data in transit, potentially exposing confidential information to interception by unauthorized parties. The vulnerability has a CVSS v3.1 base score of 5.9, indicating a medium severity level. The vector string (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) shows that the attack vector is network-based (remote), requires high attack complexity, no privileges, and no user interaction. The impact is primarily on confidentiality, with no effect on integrity or availability. Since the vulnerability affects the iOS mobile client, it could expose sensitive business intelligence data accessed via the IBM Cognos Analytics platform to network eavesdropping, especially on untrusted or public networks. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating that remediation may still be pending or in development. The vulnerability could be exploited by attackers positioned on the same network as the victim (e.g., public Wi-Fi or compromised internal networks) to intercept sensitive analytics data, potentially leading to information disclosure of business-critical insights or personally identifiable information embedded in reports or dashboards.

For European organizations using IBM Cognos Analytics Mobile on iOS devices, this vulnerability poses a significant risk to the confidentiality of sensitive business data. Many enterprises rely on Cognos Analytics for decision-making and reporting, often containing proprietary or regulated information. Exposure of such data could lead to competitive disadvantage, regulatory non-compliance (e.g., GDPR violations if personal data is leaked), and reputational damage. The risk is heightened in scenarios where employees access Cognos Analytics Mobile over insecure networks, such as public Wi-Fi hotspots or poorly secured corporate Wi-Fi. Since the vulnerability does not affect data integrity or availability, operational disruption is unlikely, but the leakage of sensitive data could have long-term strategic and legal consequences. The medium CVSS score reflects the need for attention but also indicates that exploitation requires a high level of attacker capability and network proximity, somewhat limiting the attack surface.

European organizations should immediately assess their use of IBM Cognos Analytics Mobile on iOS devices and restrict access to the affected versions (1.1.0 through 1.1.22). Until a patch is available, organizations should enforce the use of secure VPN connections for mobile users accessing Cognos Analytics to ensure encryption of network traffic. Network segmentation and monitoring should be enhanced to detect suspicious activities on internal and guest networks. Additionally, organizations should educate users about the risks of using public or unsecured Wi-Fi networks when accessing sensitive analytics data. Implementing Mobile Device Management (MDM) policies to enforce app version control and restrict installation of vulnerable versions can help reduce exposure. Finally, organizations should monitor IBM’s advisories for patches or updates addressing this vulnerability and plan for prompt deployment once available.