CVE-2025-36104 is a medium-severity vulnerability affecting IBM Storage Scale versions 5.2.3.0 and 5.2.3.1. The vulnerability arises from insecure inherited permissions through the SMB (Server Message Block) protocol, which is used for network file sharing. Specifically, an authenticated user with legitimate access to the system can exploit this flaw to obtain sensitive information from files that they should not normally be able to access. The root cause is related to CWE-277, which concerns improper access control due to insecure permission inheritance. In this case, the SMB protocol's handling of permissions allows an authenticated user to inherit permissions that grant access to sensitive files, bypassing intended access restrictions. The CVSS 3.1 base score is 6.5, indicating a medium severity level. The vector string (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) shows that the attack can be performed remotely over the network with low attack complexity, requires low privileges (authenticated user), no user interaction, and impacts confidentiality with high impact but no impact on integrity or availability. No known exploits are currently reported in the wild, and no patches have been linked yet, suggesting that mitigation may require configuration changes or awaiting vendor updates. This vulnerability is critical to address in environments where IBM Storage Scale is used to store sensitive data, especially in multi-tenant or shared environments where users have different access levels.

For European organizations, the impact of CVE-2025-36104 can be significant, particularly for enterprises relying on IBM Storage Scale for large-scale data storage and file sharing. The vulnerability allows authenticated users to access sensitive information beyond their authorization, potentially leading to data breaches involving confidential business information, personal data protected under GDPR, or intellectual property. This unauthorized data exposure can result in regulatory penalties, reputational damage, and loss of customer trust. Since the vulnerability does not affect data integrity or availability, the primary concern is confidentiality. However, the ease of exploitation by any authenticated user within the network increases the risk, especially in environments with many users or insufficient network segmentation. European organizations in sectors such as finance, healthcare, manufacturing, and government, which often handle sensitive data and comply with strict data protection regulations, are particularly at risk. The lack of known exploits in the wild provides a window for proactive mitigation before attackers develop or deploy exploit code.

To mitigate CVE-2025-36104, European organizations should implement the following specific measures: 1) Review and tighten SMB share permissions on IBM Storage Scale systems to ensure that permission inheritance does not grant excessive access rights. This includes auditing current ACLs (Access Control Lists) and removing unnecessary inherited permissions. 2) Enforce the principle of least privilege by restricting authenticated user access to only those shares and files necessary for their roles. 3) Segment the network to limit SMB access to trusted users and systems, reducing the attack surface. 4) Monitor SMB traffic and access logs for unusual or unauthorized file access attempts, enabling early detection of exploitation attempts. 5) Engage with IBM support or security advisories to obtain patches or updates addressing this vulnerability as soon as they become available. 6) Consider disabling SMB protocol versions or features that are not required or known to be vulnerable, if feasible within the operational environment. 7) Educate system administrators and users about the risks associated with SMB permissions and the importance of secure configuration. These targeted actions go beyond generic advice by focusing on permission inheritance and SMB-specific controls relevant to this vulnerability.