CVE-2025-36106 is a vulnerability identified in IBM Cognos Analytics Mobile for iOS versions 1.1.0 through 1.1.22. The issue stems from the use of a deprecated or misconfigured AFNetworking library at runtime, which results in inadequate encryption strength (classified under CWE-326). This weakness allows malicious actors to intercept and potentially modify data transmitted between the mobile application and backend services. Specifically, the vulnerability enables attackers to view and alter information in transit, which could lead to unauthorized access to confidential information stored on the device or accessible through the network. The vulnerability does not require user interaction or authentication, but it does have a high attack complexity, meaning that exploitation is not trivial and may require specific conditions or skills. The CVSS v3.1 base score is 6.5 (medium severity), reflecting a high impact on confidentiality, limited impact on integrity, and no impact on availability. The vulnerability affects the confidentiality of sensitive business intelligence data handled by IBM Cognos Analytics Mobile, potentially exposing sensitive corporate analytics and reports to unauthorized parties. Since the vulnerability is related to encryption strength and transport security, it primarily threatens data confidentiality during communication sessions between the mobile app and backend servers.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive business intelligence data accessed via IBM Cognos Analytics Mobile on iOS devices. Organizations relying on this mobile application for accessing corporate analytics and reports could face data leakage risks if attackers intercept communications. This could lead to exposure of strategic business insights, financial data, or personally identifiable information (PII) depending on the nature of the reports accessed. The impact is heightened in sectors with strict data protection regulations such as finance, healthcare, and government, where unauthorized data disclosure can result in regulatory penalties under GDPR and damage to reputation. Additionally, the vulnerability could be exploited in targeted attacks against high-value European enterprises or government agencies using IBM Cognos Analytics Mobile, potentially facilitating espionage or competitive intelligence gathering. However, the medium severity and high attack complexity suggest that widespread exploitation is less likely without significant attacker resources or insider knowledge.

To mitigate this vulnerability, European organizations should prioritize updating IBM Cognos Analytics Mobile to a version where the AFNetworking library is properly configured or replaced with a secure alternative. Since no patch links are currently provided, organizations should monitor IBM security advisories for official updates or patches. In the interim, organizations can implement network-level protections such as enforcing VPN usage for mobile devices accessing corporate resources, deploying mobile device management (MDM) solutions to restrict app versions and enforce security policies, and using network traffic inspection tools to detect anomalous data manipulation. Additionally, organizations should review and strengthen transport layer security configurations, ensuring TLS versions and cipher suites meet current best practices. Educating users about the risks of using outdated app versions and restricting access to sensitive analytics data from mobile devices until remediation is applied can further reduce exposure.