CVE-2025-36100 – IBM MQ stores passwords in client configuration... (How to Fix)

Q: What is the severity of CVE-2025-36100?

CVE-2025-36100 has a CVSS score of 5.1 (MEDIUM). IBM MQ stores passwords in client configuration files when trace functionality is enabled, allowing local users to read sensitive credentials. This affects IBM MQ LTS versions 9.1.0.0-9.1.0.29, 9.2.0.0-9.2.0.36, 9.3.0.0-9.3.0.30, 9.4.0.0-9.4.0.12 and IBM MQ CD versions 9.3.0.0-9.3.5.1, 9.4.0.0-9.4.3.0.

📋 TL;DR

IBM MQ stores passwords in client configuration files when trace functionality is enabled, allowing local users to read sensitive credentials. This affects IBM MQ LTS versions 9.1.0.0-9.1.0.29, 9.2.0.0-9.2.0.36, 9.3.0.0-9.3.0.30, 9.4.0.0-9.4.0.12 and IBM MQ CD versions 9.3.0.0-9.3.5.1, 9.4.0.0-9.4.3.0.

💻 Affected Systems

Products:

IBM MQ LTS
IBM MQ CD

Versions: IBM MQ LTS: 9.1.0.0-9.1.0.29, 9.2.0.0-9.2.0.36, 9.3.0.0-9.3.0.30, 9.4.0.0-9.4.0.12; IBM MQ CD: 9.3.0.0-9.3.5.1, 9.4.0.0-9.4.3.0

Operating Systems: All platforms running affected IBM MQ versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when trace functionality is enabled in client configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attackers gain access to IBM MQ credentials, potentially compromising message queues, accessing sensitive data, or performing unauthorized operations.

🟠

Likely Case

Local users with file system access can read stored passwords from trace configuration files, leading to credential exposure.

🟢

If Mitigated

With proper file permissions and trace disabled, the vulnerability cannot be exploited.

🌐 Internet-Facing: LOW - This requires local file system access, not network exposure.

🏢 Internal Only: MEDIUM - Internal users with local access to affected systems can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local file system access to read configuration files when trace is enabled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply IBM MQ LTS 9.1.0.30, 9.2.0.37, 9.3.0.31, 9.4.0.13 or later; IBM MQ CD 9.3.5.2, 9.4.3.1 or later

Vendor Advisory: https://www.ibm.com/support/pages/node/7243544

Restart Required: No

Instructions:

1. Download appropriate fix pack from IBM Fix Central. 2. Apply fix pack according to IBM MQ installation guide. 3. Verify version update using dspmqver command.

🔧 Temporary Workarounds

Disable trace functionality

all

Prevent password storage by disabling trace in client configuration files.

Edit client configuration files and remove or comment out Trace=1 or similar trace enabling parameters

Restrict file permissions

Unix/Linux

Set strict file permissions on client configuration files to prevent unauthorized reading.

chmod 600 /path/to/client/config/files/*.ini
chown mqm:mqm /path/to/client/config/files/*.ini

🧯 If You Can't Patch

Disable trace functionality in all client configurations
Implement strict file system permissions and access controls on configuration files

🔍 How to Verify

Check if Vulnerable:

Check if trace is enabled in client configuration files and verify IBM MQ version is within affected ranges.

Check Version:

dspmqver

Verify Fix Applied:

Run dspmqver command to confirm version is patched and verify trace configuration files no longer contain passwords.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to configuration files
Trace log files containing password strings

Network Indicators:

None - this is a local file system vulnerability

SIEM Query:

Search for file access events on IBM MQ configuration files from unauthorized users or processes.

📊 Metadata

CVE ID: CVE-2025-36100

CVSS v3 Score: 5.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-260

EPSS Score: 0.01% exploit probability (0.7th percentile)

Published: September 7, 2025

Last Updated: December 19, 2025

🔗 References

https://www.ibm.com/support/pages/node/7243544 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-36100, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Mq by Ibm

Mq by Ibm

Mq by Ibm

Mq by Ibm

Mq by Ibm

Mq by Ibm

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable trace functionality

Restrict file permissions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities