CVE-2025-36222 is a high-severity vulnerability affecting IBM Fusion versions 2.2.0 through 2.10.1, IBM Fusion HCI versions 2.2.0 through 2.10.0, and IBM Fusion HCI for watsonx versions 2.8.2 through 2.10.0. The vulnerability stems from insecure default initialization of resources, specifically related to AMQStreams, a messaging platform integrated within these IBM Fusion products. Due to insecure default configurations, AMQStreams can be exposed without requiring client authentication. This misconfiguration allows an unauthenticated attacker to connect to the AMQStreams service and perform unauthorized actions, potentially compromising confidentiality and integrity of data streams. The vulnerability is classified under CWE-1188, which refers to insecure default initialization of resources, indicating that the product ships with settings that are not secure by default, increasing the attack surface. The CVSS v3.1 base score is 8.7 (high), with vector AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N, meaning the attack is network-based, requires high attack complexity, no privileges or user interaction, and impacts confidentiality and integrity with a changed scope. No known exploits are currently reported in the wild, and no patches are linked yet, suggesting that organizations should prioritize mitigation and monitoring. The vulnerability could allow attackers to intercept, modify, or inject messages within AMQStreams, potentially disrupting business processes relying on IBM Fusion's messaging capabilities or leaking sensitive information.

For European organizations using IBM Fusion and its variants, this vulnerability poses a significant risk to the confidentiality and integrity of their messaging infrastructure. AMQStreams is often used for critical data streaming and integration tasks; unauthorized access could lead to data leakage, manipulation of business-critical messages, or unauthorized command execution within the messaging environment. This could disrupt operations, lead to compliance violations (e.g., GDPR breaches if personal data is exposed), and damage organizational reputation. Given the network-exploitable nature and lack of authentication, attackers could remotely exploit this vulnerability without user interaction, increasing the risk of widespread compromise. Industries such as finance, telecommunications, manufacturing, and public sector entities in Europe that rely on IBM Fusion for integration and data streaming are particularly at risk. The impact is exacerbated by the fact that the vulnerability affects multiple versions, including recent ones, meaning many organizations may be running vulnerable instances.

European organizations should immediately review their IBM Fusion deployments to identify affected versions (2.2.0 through 2.10.1 for Fusion, 2.2.0 through 2.10.0 for Fusion HCI, and 2.8.2 through 2.10.0 for Fusion HCI for watsonx). Until official patches are released, organizations should: 1) Disable or restrict network access to AMQStreams endpoints, limiting exposure to trusted internal networks only. 2) Implement network-level controls such as firewalls and segmentation to isolate AMQStreams services from untrusted networks. 3) Enforce strict authentication and authorization policies where configurable, overriding insecure defaults. 4) Monitor network traffic and logs for unusual or unauthorized access attempts to AMQStreams. 5) Engage with IBM support for guidance on interim mitigations and patch timelines. 6) Plan and test upgrades to versions that address this vulnerability once available. Additionally, organizations should conduct a thorough audit of their messaging infrastructure to ensure no unauthorized changes or data exfiltration have occurred.