CVE-2025-36357 is a directory traversal vulnerability classified under CWE-36 affecting IBM Planning Analytics Local versions 2.1.0 through 2.1.14. The flaw allows a remote attacker with valid authentication to send specially crafted URL requests containing absolute path sequences that bypass intended directory access controls. This enables the attacker to traverse the file system hierarchy and potentially view, read, or write arbitrary files on the host system. The vulnerability arises from insufficient validation or sanitization of user-supplied path input in the web interface or API endpoints of IBM Planning Analytics Local. The CVSS v3.1 score of 8.0 reflects the high impact on confidentiality, integrity, and availability, combined with low attack complexity and the requirement for privileges and user interaction. Although no public exploits have been reported yet, the vulnerability presents a serious risk due to the sensitive nature of data managed by IBM Planning Analytics Local, which is used for enterprise planning and analytics. Attackers exploiting this vulnerability could access sensitive configuration files, credentials, or modify critical files, potentially leading to data breaches, unauthorized system control, or denial of service. The vulnerability was reserved in April 2025 and published in November 2025, but no patch links are currently available, indicating that remediation may still be pending or in progress.

The impact of CVE-2025-36357 is significant for organizations using IBM Planning Analytics Local, as it compromises the confidentiality, integrity, and availability of critical business data and system files. Unauthorized file read/write access could lead to exposure of sensitive financial and planning data, manipulation of analytics results, or disruption of business operations. Attackers could leverage this vulnerability to implant malicious files, escalate privileges, or disrupt service availability. Given that IBM Planning Analytics Local is often deployed in enterprise environments handling strategic planning and financial data, exploitation could result in severe financial losses, regulatory compliance violations, and reputational damage. The requirement for authentication and user interaction somewhat limits exploitation to insiders or compromised accounts, but the low complexity and high impact make it a critical concern. Organizations with remote access to the affected systems are particularly vulnerable to targeted attacks exploiting this flaw.

To mitigate CVE-2025-36357, organizations should immediately review and restrict user permissions to the minimum necessary, especially for users with remote access to IBM Planning Analytics Local. Network segmentation and firewall rules should limit access to the management interfaces to trusted hosts only. Implement strict input validation and URL filtering at the web server or application gateway level to detect and block path traversal patterns in requests. Monitor logs for suspicious URL requests containing absolute path sequences or unusual file access patterns. Until an official patch is released, consider isolating vulnerable instances from the internet or untrusted networks. Employ multi-factor authentication to reduce the risk of compromised credentials being used to exploit this vulnerability. Regularly back up critical data and configuration files to enable recovery in case of unauthorized modification. Stay informed through IBM security advisories for patch availability and apply updates promptly once released.