CVE-2025-36222
📋 TL;DR
This vulnerability exposes AMQStreams without client authentication in IBM Fusion products due to insecure default configurations. Attackers could perform unauthorized actions on affected systems. Organizations running IBM Fusion 2.2.0 through 2.10.1, IBM Fusion HCI 2.2.0 through 2.10.0, or IBM Fusion HCI for watsonx 2.8.2 through 2.10.0 are vulnerable.
💻 Affected Systems
- IBM Fusion
- IBM Fusion HCI
- IBM Fusion HCI for watsonx
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of AMQStreams infrastructure allowing data exfiltration, service disruption, or unauthorized administrative actions across the messaging system.
Likely Case
Unauthorized access to message streams leading to data leakage, message injection, or service disruption.
If Mitigated
Limited impact with proper network segmentation and authentication controls in place.
🎯 Exploit Status
Exploitation requires network access to AMQStreams endpoints but no authentication credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: IBM Fusion 2.10.2, IBM Fusion HCI 2.10.1, IBM Fusion HCI for watsonx 2.10.1
Vendor Advisory: https://www.ibm.com/support/pages/node/7244646
Restart Required: Yes
Instructions:
1. Review IBM advisory. 2. Apply patches to affected versions. 3. Restart services. 4. Verify authentication is enabled for AMQStreams.
🔧 Temporary Workarounds
Enable AMQStreams Client Authentication
allConfigure AMQStreams to require client authentication before allowing connections.
Refer to IBM documentation for AMQStreams authentication configuration specific to your deployment
Network Segmentation
linuxRestrict network access to AMQStreams endpoints using firewalls or network policies.
iptables -A INPUT -p tcp --dport 9092 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 9092 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure of AMQStreams endpoints
- Enable and enforce client authentication for all AMQStreams connections
🔍 How to Verify
Check if Vulnerable:
Check if AMQStreams endpoints (typically port 9092) are accessible without authentication from untrusted networks.Check Version:
Check IBM Fusion product version through administrative interface or configuration files.Verify Fix Applied:
Test that AMQStreams connections require valid authentication credentials and unauthorized connections are rejected.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated connection attempts to AMQStreams ports
- Failed authentication attempts from unexpected sources
- Unusual message consumption/production patterns
Network Indicators:
- Unencrypted or unauthenticated traffic to AMQStreams ports (typically 9092)
- Connection attempts from unauthorized IP ranges
SIEM Query:
source_port=9092 AND (auth_failure OR no_authentication)