CVE-2025-36015 – This vulnerability in IBM Controller and Cognos... (How to Fix)

Q: What is the severity of CVE-2025-36015?

CVE-2025-36015 has a CVSS score of 6.5 (MEDIUM). This vulnerability in IBM Controller and Cognos Controller allows authenticated users to cause denial of service by sending specially crafted input that triggers improper quantity size validation. Affected users are those running vulnerable versions of these financial consolidation and reporting applications with authenticated access.

📋 TL;DR

This vulnerability in IBM Controller and Cognos Controller allows authenticated users to cause denial of service by sending specially crafted input that triggers improper quantity size validation. Affected users are those running vulnerable versions of these financial consolidation and reporting applications with authenticated access.

💻 Affected Systems

Products:

IBM Controller
IBM Cognos Controller

Versions: IBM Controller 11.1.0 through 11.1.1; IBM Cognos Controller 11.0.0 through 11.0.1 FP6

Operating Systems: All supported platforms for these versions

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access to exploit. All deployments of affected versions are vulnerable.

📦 What is this software?

Cognos Controller by Ibm

View all CVEs affecting Cognos Controller →

Controller by Ibm

View all CVEs affecting Controller →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability for all users of the affected Controller application, disrupting financial reporting and consolidation operations.

🟠

Likely Case

Service degradation or temporary unavailability affecting business users who rely on the Controller application for financial processes.

🟢

If Mitigated

Minimal impact with proper input validation and monitoring in place to detect and block malicious requests.

🌐 Internet-Facing: MEDIUM - While authentication is required, internet-facing instances could be targeted by attackers with stolen credentials.

🏢 Internal Only: HIGH - Internal users with legitimate access could intentionally or accidentally trigger the DoS condition.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but appears straightforward based on the description of improper input validation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: IBM Controller 11.1.2 and later; IBM Cognos Controller 11.0.2 and later

Vendor Advisory: https://www.ibm.com/support/pages/node/7253273

Restart Required: Yes

Instructions:

1. Download the latest version from IBM Fix Central. 2. Backup current installation. 3. Apply the update following IBM's installation guide. 4. Restart the Controller services. 5. Verify the update was successful.

🔧 Temporary Workarounds

Input Validation Filtering

all

Implement application-level input validation to reject malformed quantity size inputs before processing.

Access Restriction

all

Restrict Controller application access to only necessary users and implement rate limiting on input endpoints.

🧯 If You Can't Patch

Implement strict access controls and monitor for unusual input patterns
Deploy WAF rules to block malformed quantity size inputs at the network perimeter

🔍 How to Verify

Check if Vulnerable:

Check the installed version of IBM Controller/Cognos Controller against affected version ranges.

Check Version:

Check version via Controller web interface or installation directory version files

Verify Fix Applied:

Verify the version is updated to 11.1.2+ for IBM Controller or 11.0.2+ for Cognos Controller, and test input validation functionality.

📡 Detection & Monitoring

Log Indicators:

Unusually large quantity size inputs in application logs
Multiple failed input validation attempts from single users
Service restart events following malformed inputs

Network Indicators:

Spikes in traffic to quantity input endpoints
Repeated malformed requests from authenticated sessions

SIEM Query:

source="controller_app" AND (message="*quantity*size*error*" OR message="*validation*failed*")

📊 Metadata

CVE ID: CVE-2025-36015

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1284

EPSS Score: 0.07% exploit probability (21.6th percentile)

Published: December 8, 2025

Last Updated: December 10, 2025

🔗 References

https://www.ibm.com/support/pages/node/7253273 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-36015, you might also want to check these: