CVE-2025-36363 is a vulnerability classified under CWE-307, indicating improper restriction of excessive authentication attempts in IBM DevOps Plan versions 3.0.0 through 3.0.5. The core issue arises from the product's inadequate account lockout mechanisms, which fail to sufficiently limit the number of consecutive failed login attempts. This deficiency enables remote attackers to conduct brute force attacks against user credentials without requiring any privileges or user interaction. The vulnerability affects the confidentiality of user accounts, as successful brute forcing could lead to unauthorized access to sensitive project and operational data managed within IBM DevOps Plan. The CVSS 3.1 base score is 5.9, reflecting medium severity with network attack vector, high attack complexity, no privileges required, no user interaction, and an impact limited to confidentiality. No known exploits have been reported in the wild, and no official patches have been published yet. However, the vulnerability poses a significant risk to organizations relying on IBM DevOps Plan for software development lifecycle management, as compromised credentials could lead to unauthorized access and potential data leakage. The vulnerability highlights the importance of robust authentication controls and account lockout policies in enterprise software solutions.

If exploited, this vulnerability could allow attackers to gain unauthorized access to IBM DevOps Plan accounts by brute forcing passwords remotely. This unauthorized access could lead to exposure of sensitive development and operational data, intellectual property theft, and potential disruption of software development workflows. While the vulnerability does not directly impact system integrity or availability, the confidentiality breach could have downstream effects such as unauthorized code changes or leakage of proprietary information. Organizations with large-scale deployments of IBM DevOps Plan are at higher risk, especially if they do not have compensating controls like multi-factor authentication or network segmentation. The absence of patches increases the window of exposure, making proactive mitigation critical. The medium severity rating suggests a moderate risk level, but the potential for targeted attacks against valuable development environments elevates its importance for affected enterprises.

Organizations should immediately review and strengthen their authentication policies for IBM DevOps Plan, including implementing strict account lockout thresholds to limit failed login attempts. Deploying multi-factor authentication (MFA) for all users accessing the platform can significantly reduce the risk of credential compromise. Monitoring and alerting on unusual authentication patterns, such as repeated failed login attempts, should be established to detect brute force attempts early. Network-level controls, such as IP blacklisting or rate limiting on login endpoints, can further reduce attack surface. Until official patches are released, consider isolating IBM DevOps Plan instances within secure network segments and restricting access to trusted IP ranges. Regularly update and audit user credentials, enforcing strong password policies. Finally, stay informed on IBM’s security advisories for timely patch deployment once available.