CVE-2025-36351 is a medium-severity vulnerability identified in IBM License Metric Tool versions 9.2.0 through 9.2.40. The vulnerability stems from improper access control enforcement in the REST API interface of the product. Specifically, it allows an authenticated user to bypass intended access restrictions and perform unauthorized actions. The underlying weakness is classified under CWE-284, which refers to authentication bypass using an alternate path or channel. This means that although the user has some level of authentication, the system fails to properly verify their authorization for certain API operations, potentially allowing privilege escalation or unauthorized modifications. The vulnerability does not require user interaction beyond authentication, and the attack vector is network-based (remote). The CVSS v3.1 base score is 4.3, indicating a medium severity level, with the impact primarily on integrity (unauthorized actions) but no direct impact on confidentiality or availability. No known exploits are currently reported in the wild, and no patches have been linked yet, suggesting that remediation may still be pending or in development. The vulnerability affects a critical enterprise tool used for software license management, which is often integrated into IT asset management and compliance workflows.

For European organizations, the impact of this vulnerability could be significant in environments where IBM License Metric Tool is deployed to manage software licenses and compliance. Unauthorized actions via the REST API could lead to inaccurate license reporting, manipulation of license entitlements, or disruption of compliance audits. This could result in financial penalties due to non-compliance, legal liabilities, or operational disruptions if license enforcement mechanisms are circumvented. Additionally, unauthorized changes might be leveraged as a foothold for further lateral movement within enterprise networks, especially if the License Metric Tool is integrated with other IT management systems. While the vulnerability does not directly compromise confidentiality or availability, the integrity impact on license data and management processes can undermine trust in software asset management and compliance, which is critical for regulated industries prevalent in Europe such as finance, healthcare, and government sectors.

Given the absence of an official patch link, European organizations should take immediate compensating controls to mitigate risk. These include: 1) Restricting network access to the IBM License Metric Tool REST API interface to trusted administrative networks only, using firewalls or network segmentation. 2) Enforcing strict authentication and authorization policies, ensuring that only necessary users have access and that roles are properly assigned and audited. 3) Monitoring and logging all REST API calls for unusual or unauthorized activity, with alerts configured for anomalous access patterns. 4) Temporarily disabling or limiting REST API functionality if feasible until a patch is available. 5) Engaging with IBM support to obtain timelines for patches or workarounds and applying them promptly once released. 6) Conducting internal audits of license data integrity to detect any unauthorized changes. These steps go beyond generic advice by focusing on access control hardening, monitoring, and operational controls tailored to the affected product and vulnerability vector.