CVE-2025-36222 is a vulnerability identified in IBM Fusion versions 2.2.0 through 2.10.1, including IBM Fusion HCI variants up to 2.10.0. The root cause is insecure default initialization of AMQStreams resources, which are messaging components used within IBM Fusion for data streaming and integration. Specifically, these AMQStreams instances are configured by default to allow access without client authentication, exposing them to unauthorized remote access. This configuration flaw falls under CWE-1188, which concerns insecure default initialization of resources. An attacker exploiting this vulnerability can remotely connect to the AMQStreams service and perform unauthorized actions, potentially including reading sensitive data streams or manipulating message flows, thereby compromising confidentiality and integrity. The vulnerability has a CVSS 3.1 base score of 8.7, reflecting network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), and a scope change (S:C) with high impact on confidentiality (C:H) and integrity (I:H), but no impact on availability (A:N). No public exploits have been reported yet, but the presence of insecure defaults in critical messaging infrastructure poses a significant risk. IBM Fusion is widely used in enterprise environments for data integration and analytics, making this vulnerability particularly concerning for organizations relying on these platforms for secure data processing. The lack of client authentication by default means that attackers can potentially bypass security controls and gain unauthorized access to sensitive data streams. Remediation will require administrators to review and update the default configurations to enforce client authentication on AMQStreams and monitor for any suspicious access. IBM is expected to release patches or configuration guidance to address this issue.

The vulnerability can lead to unauthorized remote access to AMQStreams messaging components within IBM Fusion environments, allowing attackers to read or manipulate sensitive data streams. This compromises the confidentiality and integrity of enterprise data pipelines, potentially leading to data breaches, data tampering, or disruption of critical analytics workflows. Since AMQStreams often handle real-time data integration, exploitation could affect business decision-making processes and operational continuity. The high CVSS score indicates a severe risk, especially given no authentication is required and no user interaction is needed, enabling remote exploitation. Organizations worldwide using affected IBM Fusion versions may face regulatory compliance issues, reputational damage, and operational risks if exploited. The scope change in the CVSS vector suggests that the vulnerability affects resources beyond the initially vulnerable component, potentially impacting interconnected systems. Although availability is not directly affected, the integrity and confidentiality impacts alone can have serious consequences for enterprises relying on IBM Fusion for secure data handling.

Administrators should immediately audit their IBM Fusion and IBM Fusion HCI deployments to identify instances running affected versions (2.2.0 through 2.10.1). They must verify the configuration of AMQStreams resources to ensure client authentication is enforced and disable any insecure default settings that allow unauthenticated access. Until vendor patches are released, consider isolating AMQStreams endpoints within trusted network segments and applying strict network access controls such as firewall rules and VPN requirements to limit exposure. Implement continuous monitoring and logging of AMQStreams access to detect unauthorized connection attempts. Engage with IBM support to obtain any available security advisories or interim configuration guidance. Plan for timely patch deployment once IBM releases updates addressing this vulnerability. Additionally, review and strengthen overall messaging infrastructure security policies, including authentication mechanisms, encryption, and access controls, to reduce attack surface. Conduct penetration testing focused on messaging components to validate the effectiveness of mitigations.