CVE-2025-36249 identifies a security vulnerability in IBM Jazz for Service Management versions 1.1.3.0 through 1.1.3.25, where session cookies and authorization tokens are transmitted without the 'Secure' attribute set. The 'Secure' attribute instructs browsers to only send cookies over HTTPS connections, preventing exposure over unencrypted HTTP traffic. Without this attribute, if a user accesses an HTTP link—either through a maliciously crafted link or a compromised website—the browser will send the session cookie over an unencrypted channel. An attacker monitoring network traffic on the same network segment can intercept these cookies, potentially allowing session hijacking or unauthorized access. The vulnerability does not require user authentication or interaction beyond clicking a link, but exploitation complexity is high because the attacker must induce the user to visit an HTTP URL. The CVSS 3.1 score is 3.7 (low severity), reflecting limited confidentiality impact and no impact on integrity or availability. No public exploits are known, and IBM has not yet released patches. This vulnerability falls under CWE-614, which concerns sensitive cookies transmitted without the 'Secure' flag, a common web security misconfiguration. The issue highlights the importance of enforcing HTTPS and proper cookie security attributes in web applications handling sensitive sessions.

For European organizations using IBM Jazz for Service Management, this vulnerability could lead to unauthorized disclosure of session cookies if users are tricked into visiting HTTP links. The primary impact is confidentiality loss, potentially enabling attackers to hijack user sessions and gain unauthorized access to service management functions. This could disrupt IT service operations, expose sensitive management data, or allow attackers to manipulate service workflows. However, the impact is limited by the high complexity of attack execution and the requirement that users access insecure HTTP links. Organizations with strict network segmentation or HTTPS enforcement may be less affected. Still, environments where users access IBM Jazz from untrusted networks or where HTTP links are common pose a higher risk. The vulnerability does not affect system integrity or availability directly but could be a stepping stone for further attacks if exploited. Given the critical role of service management platforms in IT operations, even low-severity vulnerabilities warrant timely remediation to maintain operational security.

To mitigate CVE-2025-36249, organizations should immediately verify and enforce that all session cookies in IBM Jazz for Service Management have the 'Secure' attribute set, ensuring cookies are only transmitted over HTTPS. This may require configuration changes or updates once IBM releases patches. In the interim, enforce strict HTTPS usage by redirecting all HTTP requests to HTTPS and disabling HTTP access to the service management portal. Implement HTTP Strict Transport Security (HSTS) headers to prevent protocol downgrade attacks. Educate users to avoid clicking on HTTP links related to IBM Jazz and to report suspicious URLs. Network-level controls such as blocking outbound HTTP traffic to the service management domain can also reduce risk. Regularly monitor network traffic for unencrypted cookie transmissions and review logs for unusual session activity. Finally, maintain up-to-date software versions and apply IBM patches promptly when available to address this and other vulnerabilities.