CVE-2025-36250 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2025-36250?

CVE-2025-36250 has a CVSS score of 10.0 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary commands on IBM AIX and VIOS systems running the NIM server service (nimesis) due to improper process controls. It affects IBM AIX 7.2, 7.3 and IBM VIOS 3.1, 4.1. This addresses additional attack vectors for a previously patched vulnerability (CVE-2024-56346).

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on IBM AIX and VIOS systems running the NIM server service (nimesis) due to improper process controls. It affects IBM AIX 7.2, 7.3 and IBM VIOS 3.1, 4.1. This addresses additional attack vectors for a previously patched vulnerability (CVE-2024-56346).

💻 Affected Systems

Products:

IBM AIX
IBM VIOS

Versions: AIX 7.2, 7.3; VIOS 3.1, 4.1

Operating Systems: IBM AIX, IBM VIOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with NIM server (nimesis) service running. This vulnerability addresses additional attack vectors beyond what was fixed in CVE-2024-56346.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root-level access, allowing attacker to install malware, exfiltrate data, or pivot to other systems.

🟠

Likely Case

Remote code execution leading to unauthorized access, data theft, or service disruption.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent unauthorized access to NIM service.

🌐 Internet-Facing: HIGH if NIM service is exposed to internet, as it allows unauthenticated remote code execution.

🏢 Internal Only: HIGH even internally, as it can be exploited by any network-accessible attacker within the environment.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

CVSS 10.0 indicates trivial exploitation with no authentication required. However, no public exploit code has been identified at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply the latest security patches from IBM. Specific patch numbers should be obtained from IBM's advisory.

Vendor Advisory: https://www.ibm.com/support/pages/node/7251173

Restart Required: Yes

Instructions:

1. Review IBM advisory at provided URL
2. Download appropriate patches for your AIX/VIOS version
3. Apply patches using smit or installp commands
4. Restart affected services or reboot system

🔧 Temporary Workarounds

Disable NIM Server Service

aix

Stop and disable the nimesis service if NIM functionality is not required.

stopsrc -s nimesis
chssys -s nimesis -d

Network Access Control

all

Restrict network access to NIM server port (typically 1058/tcp) using firewall rules.

iptables -A INPUT -p tcp --dport 1058 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate NIM servers from untrusted networks.
Monitor NIM server logs for suspicious activity and implement intrusion detection.

🔍 How to Verify

Check if Vulnerable:

Check if nimesis service is running: lssrc -s nimesis

Check Version:

oslevel -s

Verify Fix Applied:

Verify service is stopped or patched by checking version and service status.

📡 Detection & Monitoring

Log Indicators:

Unusual process execution from nimesis service
Failed authentication attempts to NIM service
Unexpected network connections to NIM port

Network Indicators:

Unexpected traffic to port 1058/tcp
Suspicious command execution patterns in NIM protocol

SIEM Query:

source="nimesis.log" AND (process_execution OR command_injection)

📊 Metadata

CVE ID: CVE-2025-36250

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-114

EPSS Score: 0.12% exploit probability (30.5th percentile)

Published: November 13, 2025

Last Updated: November 19, 2025

🔗 References

https://www.ibm.com/support/pages/node/7251173 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-36250, you might also want to check these: