CVE-2025-36125 – IBM Hardware Management Console for Power syste... (How to Fix)

Q: What is the severity of CVE-2025-36125?

CVE-2025-36125 has a CVSS score of 6.4 (MEDIUM). IBM Hardware Management Console for Power systems is vulnerable to stored cross-site scripting (XSS) that allows authenticated users to inject malicious JavaScript into the web interface. This could lead to session hijacking or credential theft within trusted sessions. Affects IBM HMC Power versions 10.3.1050.0 and 11.1.1110.0.

📋 TL;DR

IBM Hardware Management Console for Power systems is vulnerable to stored cross-site scripting (XSS) that allows authenticated users to inject malicious JavaScript into the web interface. This could lead to session hijacking or credential theft within trusted sessions. Affects IBM HMC Power versions 10.3.1050.0 and 11.1.1110.0.

💻 Affected Systems

Products:

IBM Hardware Management Console - Power

Versions: 10.3.1050.0 and 11.1.1110.0

Operating Systems: IBM HMC-specific OS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects web UI component of HMC. Requires authenticated user access to exploit.

📦 What is this software?

Hardware Management Console by Ibm

View all CVEs affecting Hardware Management Console →

Hardware Management Console by Ibm

View all CVEs affecting Hardware Management Console →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Authenticated attacker steals administrator credentials, gains full control of hardware management console, and potentially compromises managed Power systems.

🟠

Likely Case

Authenticated user with malicious intent steals session cookies or credentials from other users, leading to unauthorized access.

🟢

If Mitigated

Limited impact due to authentication requirement and same-origin policy restrictions.

🌐 Internet-Facing: MEDIUM - If HMC is exposed to internet, risk increases but still requires authentication.

🏢 Internal Only: MEDIUM - Internal authenticated users can exploit, but attack surface is limited to authorized personnel.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access to HMC web interface. Attacker needs to craft and inject malicious JavaScript payload.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply fixes per IBM advisory

Vendor Advisory: https://www.ibm.com/support/pages/node/7244336

Restart Required: No

Instructions:

1. Review IBM advisory 2. Apply recommended fixes from IBM 3. Verify HMC version after update

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement additional input validation and output encoding for user-supplied content in HMC web interface

🧯 If You Can't Patch

Restrict HMC access to only necessary administrative users
Implement web application firewall with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check HMC version via web interface or SSH: lshmc -V

Check Version:

lshmc -V

Verify Fix Applied:

Verify version is updated beyond affected versions and test XSS payloads no longer execute

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript injection patterns in web logs
Multiple failed authentication attempts followed by successful login

Network Indicators:

Suspicious JavaScript payloads in HTTP requests to HMC

SIEM Query:

source="hmc_web_logs" AND (http_request CONTAINS "<script>" OR http_request CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-36125

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.02% exploit probability (3.3th percentile)

Published: September 9, 2025

Last Updated: December 19, 2025

🔗 References

https://www.ibm.com/support/pages/node/7244336 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-36125, you might also want to check these: