CVE-2025-36357 is a directory traversal vulnerability classified under CWE-36 affecting IBM Planning Analytics Local versions 2.1.0 through 2.1.14. This vulnerability allows a remote attacker with valid authentication to manipulate URL requests by including absolute path sequences, thereby bypassing normal directory access restrictions. Through this technique, the attacker can access arbitrary files on the underlying system, potentially reading sensitive data or modifying critical files. The vulnerability impacts confidentiality, integrity, and availability, as unauthorized file access can lead to data leakage, unauthorized changes, or disruption of services. The CVSS 3.1 base score of 8.0 indicates a high severity, with attack vector being network-based, low attack complexity, requiring privileges (authenticated user), and user interaction. The scope is unchanged, meaning the vulnerability affects only the vulnerable component. No public exploits have been reported yet, but the presence of authentication and user interaction requirements somewhat limits immediate exploitation risk. However, given the critical nature of the data handled by IBM Planning Analytics Local in enterprise environments, exploitation could have severe consequences. The vulnerability was publicly disclosed in November 2025, with no patch links currently available, emphasizing the need for proactive mitigation. The vulnerability arises from insufficient validation of user-supplied input in URL parameters, allowing traversal sequences to escape intended directories.

For European organizations, especially those in finance, government, and large enterprises relying on IBM Planning Analytics Local, this vulnerability poses a significant risk. Unauthorized file access could lead to exposure of sensitive financial data, strategic planning documents, or personally identifiable information, violating GDPR and other data protection regulations. Integrity compromise could allow attackers to alter planning data, leading to erroneous business decisions or financial losses. Availability impacts could arise if critical files are overwritten or deleted, disrupting business operations. The requirement for authentication and user interaction reduces the risk of widespread automated exploitation but does not eliminate insider threats or targeted attacks. Given IBM Planning Analytics Local’s role in business intelligence and planning, exploitation could undermine organizational trust and cause regulatory penalties. The lack of public exploits currently provides a window for mitigation, but organizations must act swiftly to prevent potential exploitation.

European organizations should implement the following specific mitigations: 1) Restrict access to IBM Planning Analytics Local to trusted users only and enforce strong authentication mechanisms, including multi-factor authentication (MFA). 2) Apply the principle of least privilege by limiting user permissions to only those necessary for their roles, minimizing the risk of exploitation by authenticated users. 3) Monitor web server logs and application logs for suspicious URL patterns containing directory traversal sequences (e.g., ../ or absolute paths) to detect potential exploitation attempts. 4) Employ web application firewalls (WAFs) with rules designed to detect and block directory traversal attacks targeting IBM Planning Analytics Local. 5) Segregate the IBM Planning Analytics Local environment from other critical infrastructure to contain potential breaches. 6) Regularly check IBM’s security advisories for patches or updates addressing this vulnerability and apply them promptly once available. 7) Conduct user awareness training to reduce the risk of social engineering that could facilitate user interaction required for exploitation. 8) Perform periodic security assessments and penetration testing focusing on directory traversal and input validation weaknesses in the affected application.