CVE-2025-36357 is a directory traversal vulnerability classified under CWE-36 affecting IBM Planning Analytics Local versions 2.1.0 through 2.1.14. This vulnerability allows a remote attacker who has authenticated access to the system to send specially crafted URL requests containing absolute path sequences. These requests can bypass normal file access restrictions, enabling the attacker to read, write, or modify arbitrary files on the underlying system. The vulnerability arises from insufficient validation or sanitization of user-supplied input in URL parameters, which leads to directory traversal. The impact is significant as it compromises confidentiality by exposing sensitive files, integrity by allowing unauthorized file modifications, and availability if critical system files are altered or deleted. The CVSS v3.1 score is 8.0, indicating high severity, with vector metrics showing network attack vector, low attack complexity, requiring privileges and user interaction, and affecting confidentiality, integrity, and availability. Although no public exploits are known yet, the vulnerability poses a serious risk to affected environments, especially in enterprise settings where IBM Planning Analytics Local is deployed for financial and operational analytics. The lack of available patches at the time of publication necessitates immediate mitigation efforts.

For European organizations, the impact of this vulnerability is substantial. IBM Planning Analytics Local is widely used in financial services, manufacturing, and government sectors across Europe for business intelligence and planning. Exploitation could lead to unauthorized disclosure of sensitive business data, manipulation of financial models, or disruption of analytics services. This could result in financial losses, regulatory non-compliance (e.g., GDPR breaches due to data exposure), and reputational damage. The requirement for authentication limits exposure to insider threats or compromised credentials, but the low complexity of exploitation once authenticated means that attackers with legitimate access could escalate their privileges or move laterally. Organizations relying heavily on IBM Planning Analytics Local for critical decision-making processes are particularly vulnerable to operational disruptions and data integrity issues.

European organizations should immediately audit user access to IBM Planning Analytics Local and enforce the principle of least privilege to minimize the number of users with authenticated access. Implement multi-factor authentication (MFA) to reduce the risk of credential compromise. Monitor logs for unusual URL requests containing path traversal patterns and deploy web application firewalls (WAFs) with custom rules to detect and block directory traversal attempts. Until IBM releases official patches, consider isolating the affected systems from less trusted networks and restrict administrative access to trusted IP ranges. Conduct regular file integrity monitoring to detect unauthorized changes. Additionally, educate users about phishing and credential security to prevent attackers from gaining authenticated access. Once patches become available, prioritize their deployment in all affected environments.