CVE-2025-36437 is a vulnerability classified under CWE-209, which pertains to the generation of error messages containing sensitive information. This issue affects IBM Planning Analytics Local versions 2.1.0 through 2.1.15. The vulnerability arises because the software discloses details about the server architecture in its error messages. Such information disclosure can provide attackers with valuable insights into the system’s configuration, potentially facilitating more sophisticated attacks such as targeted exploitation of other vulnerabilities or reconnaissance for lateral movement. The CVSS v3.1 base score is 4.3, indicating a medium severity level. The vector indicates that the attack can be performed remotely over the network (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) but no user interaction (UI:N). The scope remains unchanged (S:U), and the impact affects confidentiality only (C:L), with no impact on integrity or availability. No patches are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved in April 2025 and published in December 2025. IBM Planning Analytics Local is a financial and operational planning software widely used in enterprise environments, making this vulnerability relevant to organizations relying on this product for critical business functions.

For European organizations, the disclosure of sensitive server architecture information could increase the risk of targeted attacks against their IBM Planning Analytics Local deployments. Attackers could leverage this information to identify additional vulnerabilities or misconfigurations, potentially leading to unauthorized access or data breaches. Although the vulnerability itself does not directly compromise data integrity or availability, the confidentiality leak can be a stepping stone for more severe attacks. Organizations in finance, manufacturing, and government sectors that use IBM Planning Analytics Local for critical planning and analytics functions may face increased risk. The medium severity rating suggests that while immediate exploitation impact is limited, the vulnerability should be addressed promptly to prevent escalation. Additionally, compliance with European data protection regulations such as GDPR may be impacted if sensitive information is exposed or if subsequent attacks lead to data breaches.

1. Restrict network access to IBM Planning Analytics Local instances by implementing strict firewall rules and network segmentation to limit exposure to trusted users and systems only. 2. Monitor application and system logs for unusual error messages or access patterns that could indicate reconnaissance or exploitation attempts. 3. Apply any available patches or updates from IBM as soon as they are released to address this vulnerability. 4. If patches are not yet available, consider implementing custom error handling or suppressing detailed error messages to prevent sensitive information leakage. 5. Conduct regular security assessments and penetration testing focused on IBM Planning Analytics Local deployments to identify and remediate related weaknesses. 6. Educate system administrators and users about the risks of information disclosure and the importance of reporting suspicious activity. 7. Review and harden server configurations to minimize information exposure through error messages or other system outputs.