CVE-2025-36360 is a vulnerability classified under CWE-613 (Insufficient Session Expiration) affecting IBM UrbanCode Deploy (UCD) versions 7.1 through 7.3 and IBM DevOps Deploy versions 8.0 through 8.1.2.3. The issue arises from a race condition in the HTTP session client-IP binding enforcement mechanism. Normally, UCD binds a user session to a client IP address to prevent session hijacking from different IPs. However, due to this race condition, there is a brief window during which a session can be reused from a new IP address before the system invalidates the old session. This flaw could allow an attacker, under certain network conditions, to gain unauthorized access by reusing a valid session token from a different IP address. The vulnerability requires low privileges (PR:L) but has a high attack complexity (AC:H), meaning exploitation is not trivial and depends on specific timing and network scenarios. No user interaction is required (UI:N), and the attack can be performed remotely over the network (AV:N). The CVSS v3.1 score is 5.0 (medium severity), reflecting limited but non-negligible impacts on confidentiality, integrity, and availability. No public exploits or patches are currently available, emphasizing the need for proactive mitigation. The vulnerability affects critical DevOps deployment infrastructure, potentially exposing deployment pipelines and automation processes to unauthorized access and manipulation.

For European organizations, this vulnerability poses a risk to the security of software deployment pipelines managed through IBM UrbanCode Deploy. Unauthorized session reuse could lead to attackers gaining access to deployment environments, potentially allowing them to alter deployment configurations, inject malicious code, or disrupt automated release processes. This could compromise the integrity and availability of critical applications and services, impacting business operations and compliance with data protection regulations such as GDPR. The medium severity rating indicates a moderate risk, but the potential impact on DevOps environments—often integral to continuous integration and delivery—could be significant, especially for industries with stringent security requirements like finance, healthcare, and critical infrastructure. The lack of known exploits reduces immediate risk but should not lead to complacency. Organizations relying heavily on IBM UCD for deployment automation in Europe must assess exposure and prioritize mitigation to prevent lateral movement and session hijacking attempts.

1. Apply patches or updates from IBM as soon as they become available to address this vulnerability directly. 2. Implement network segmentation and strict firewall rules to limit access to IBM UCD servers to trusted IP ranges and internal networks only. 3. Enforce multi-factor authentication (MFA) for all users accessing the UCD environment to reduce the risk of session hijacking leading to unauthorized access. 4. Monitor session activity logs for anomalies such as sessions switching IP addresses unexpectedly or unusual access patterns. 5. Configure session timeout settings to minimize the window of opportunity for session reuse. 6. Use VPNs or secure tunnels to ensure consistent client IP addresses and reduce the chance of session reuse from different IPs. 7. Educate DevOps teams about the risk and encourage immediate reporting of suspicious session behavior. 8. Consider deploying Web Application Firewalls (WAF) with rules to detect and block suspicious session reuse attempts. 9. Regularly review and audit user privileges and session management policies within IBM UCD environments.