CVE-2025-27550

3.5 LOW

📋 TL;DR

This vulnerability in IBM Jazz Reporting Service allows authenticated users on the same network to access sensitive information from other projects on the server. It affects organizations using IBM Jazz Reporting Service where multiple projects share the same server. The issue stems from improper access controls.

💻 Affected Systems

Products:

IBM Jazz Reporting Service

Versions: Specific versions not detailed in advisory; check IBM advisory for exact affected versions

Operating Systems: All supported platforms for IBM Jazz Reporting Service

Default Config Vulnerable: ⚠️ Yes

Notes: Affects configurations where multiple projects share the same Jazz Reporting Service instance.

📦 What is this software?

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated malicious insider could exfiltrate sensitive project data, intellectual property, or confidential information from all projects on the server.

🟠

Likely Case

Accidental or intentional information leakage between projects, potentially violating data segregation requirements or exposing proprietary information.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent unauthorized users from reaching the service.

🌐 Internet-Facing: LOW - Requires authenticated access and typically deployed internally.

🏢 Internal Only: MEDIUM - Authenticated internal users could exploit this to access unauthorized project data.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authenticated access but exploitation appears straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check IBM advisory for specific fixed versions

Vendor Advisory: https://www.ibm.com/support/pages/node/7258083

Restart Required: Yes

Instructions:

1. Review IBM advisory for affected versions. 2. Apply the recommended fix or upgrade to a non-vulnerable version. 3. Restart the Jazz Reporting Service. 4. Verify the fix by testing access controls.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to Jazz Reporting Service to only authorized users and systems

Access Control Review

all

Review and tighten user permissions and project access controls within Jazz Reporting Service

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the Jazz Reporting Service
Segregate sensitive projects to separate Jazz Reporting Service instances

🔍 How to Verify

Check if Vulnerable:

Check your IBM Jazz Reporting Service version against the affected versions listed in the IBM advisory

Check Version:

Check Jazz Reporting Service administration interface or installation documentation for version information

Verify Fix Applied:

After patching, test that authenticated users cannot access information from projects they are not authorized for

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to multiple projects by single users
Access attempts to unauthorized project data

Network Indicators:

Unusual data transfers from Jazz Reporting Service
Access from unauthorized network segments

SIEM Query:

source="jazz_reporting" AND (event_type="data_access" OR event_type="project_access") AND user_accessing_multiple_projects=true

📊 Metadata

CVE ID: CVE-2025-27550

CVSS v3 Score: 3.5 (LOW)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-497

EPSS Score: 0.02% exploit probability (3.8th percentile)

Published: February 4, 2026

Last Updated: February 23, 2026

🔗 References

https://www.ibm.com/support/pages/node/7258083 Vendor Advisory