IBM SECURITY ADVISORY First Issued: Thu Nov 13 14:12:55 CST 2025 The most recent version of this document is available here: https://aix.software.ibm.com/aix/efixes/security/nim_advisory2.asc Security Bulletin: AIX is vulnerable to arbitrary command execution (CVE-2025-36251, CVE-2025-36250), insufficiently protected credentials (CVE-2025-36096), and path traversal (CVE-2025-36236) =============================================================================== SUMMARY: Vulnerabilities in AIX could allow a remote attacker to execute arbitrary commands (CVE-2025-36251, CVE-2025-36250), obtain Network Installation Manager (NIM) private keys (CVE-2025-36096), or traverse directories (CVE-2025-36236). These vulnerabilities are addressed through the fixes referenced as part of this bulletin. These vulnerabilities are exploitable only when an attacker can establish network connectivity to the affected host. =============================================================================== VULNERABILITY DETAILS: CVEID: CVE-2025-36251 https://www.cve.org/CVERecord?id=CVE-2025-36251 DESCRIPTION: IBM AIX nimsh service SSL/TLS implementations could allow a remote attacker to execute arbitrary commands due to improper process controls. This addresses additional attack vectors for a vulnerability that was previously addressed in CVE-2024-56347. CVSS Base Score: 9.6 CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) CVEID: CVE-2025-36096 https://www.cve.org/CVERecord?id=CVE-2025-36096 DESCRIPTION: IBM AIX stores NIM private keys used in NIM environments in an insecure way which is susceptible to unauthorized access by an attacker using man in the middle techniques. CVSS Base Score: 9 CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) CVEID: CVE-2025-36250 https://www.cve.org/CVERecord?id=CVE-2025-36250 DESCRIPTION: IBM AIX NIM server (formerly known as NIM master) service (nimesis) could allow a remote attacker to execute arbitrary commands due to improper process controls. This addresses additional attack vectors for a vulnerability that was previously addressed in CVE-2024-56346. CVSS Base Score: 10 CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) CVEID: CVE-2025-36236 https://www.cve.org/CVERecord?id=CVE-2025-36236 DESCRIPTION: IBM AIX NIM server (formerly known as NIM master) service (nimesis) could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request to write arbitrary files on the system. CVSS Base Score: 8.2 CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L) AFFECTED PRODUCTS AND VERSIONS: AIX 7.2, 7.3 VIOS 3.1, 4.1 The vulnerabilities in the following filesets are being addressed: key_fileset = aix Fileset Lower Level Upper Level KEY --------------------------------------------------------- bos.sysmgt.nim.client 7.2.5.0 7.2.5.204 key_w_fs bos.sysmgt.nim.master 7.2.5.0 7.2.5.205 key_w_fs bos.sysmgt.sysbr 7.2.5.0 7.2.5.204 key_w_fs bos.sysmgt.nim.client 7.3.1.0 7.3.1.3 key_w_fs bos.sysmgt.nim.master 7.3.1.0 7.3.1.3 key_w_fs bos.sysmgt.sysbr 7.3.1.0 7.3.1.3 key_w_fs bos.sysmgt.nim.client 7.3.2.0 7.3.2.3 key_w_fs bos.sysmgt.nim.master 7.3.2.0 7.3.2.3 key_w_fs bos.sysmgt.sysbr 7.3.2.0 7.3.2.3 key_w_fs bos.sysmgt.nim.client 7.3.3.0 7.3.3.1 key_w_fs bos.sysmgt.nim.master 7.3.3.0 7.3.3.1 key_w_fs bos.sysmgt.sysbr 7.3.3.0 7.3.3.1 key_w_fs To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in AIX user's guide. Example: lslpp -L | grep -i bos.sysmgt.nim.client REMEDIATION: A. APARS IBM has assigned the following APARs to this problem: AIX Level APAR Availability SP KEY ----------------------------------------------------- 7.2.5 IJ55968 ** SP11 key_w_apar 7.3.1 IJ56230 ** N/A key_w_apar 7.3.2 IJ56113 ** N/A key_w_apar 7.3.3 IJ55897 ** SP02 key_w_apar VIOS Level APAR Availability SP KEY ----------------------------------------------------- 3.1.4 IJ55968 ** N/A key_w_apar 4.1.0 IJ56113 ** N/A key_w_apar 4.1.1 IJ55897 ** 4.1.1.20 key_w_apar Subscribe to the APARs here: https://www.ibm.com/support/pages/apar/[APAR Number] By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available. B. FIXES IBM strongly recommends addressing the vulnerability now. Addressing the vulnerability requires configuring NIM in SSL/TLS Secure mode (nimconfig -c) and applying the fixes provided in this bulletin: https://www.ibm.com/docs/en/aix/7.3.0?topic=authentication-enabling-cryptographic-from-command-line Please refer to the README provided in the tar file for details on configuring NIM in secure mode. AIX and VIOS fixes are available. The AIX and VIOS fixes can be downloaded via https from: https://aix.software.ibm.com/aix/efixes/security/nim_fix2.tar The link above is to a tar file containing this signed advisory, fix packages, and OpenSSL signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels. The fixes are cumulative and address previously issued AIX/VIOS NIM security bulletins with respect to SP and TL, which includes: https://www.ibm.com/support/pages/node/7186621 https://aix.software.ibm.com/aix/efixes/security/nim_advisory.asc NOTE: To help with enabling the fix, a README file is provided in the tar file. For NIM client: AIX Level Interim Fix (*.Z) KEY PRODUCT(S) --------------------------------------------------------- 7.2.5.8 IJ55968mAa.251112.epkg.Z key_w_fix nimclient 7.2.5.9 IJ55968mAa.251112.epkg.Z key_w_fix nimclient 7.2.5.10 IJ55968mAa.251112.epkg.Z key_w_fix nimclient 7.3.1.3 IJ56230m4a.251112.epkg.Z key_w_fix nimclient 7.3.1.4 IJ56230m4a.251112.epkg.Z key_w_fix nimclient 7.3.2.2 IJ56113m4a.251112.epkg.Z key_w_fix nimclient 7.3.2.3 IJ56113m4a.251112.epkg.Z key_w_fix nimclient 7.3.2.4 IJ56113m4a.251112.epkg.Z key_w_fix nimclient 7.3.3.0 IJ55897m1a.251112.epkg.Z key_w_fix nimclient 7.3.3.1 IJ55897m1a.251112.epkg.Z key_w_fix nimclient Please note that the above table refers to AIX TL/SP level as opposed to fileset level, i.e., 7.2.5.8 is AIX 7200-05-08. Please reference the Affected Products and Version section above for help with checking installed fileset levels. VIOS Level Interim Fix (*.Z) KEY PRODUCT(S) ---------------------------------------------------------- 3.1.4.41 IJ55968mAa.251112.epkg.Z key_w_fix nimclient 3.1.4.50 IJ55968mAa.251112.epkg.Z key_w_fix nimclient 3.1.4.60 IJ55968mAa.251112.epkg.Z key_w_fix nimclient 4.1.0.10 IJ56113m4a.251112.epkg.Z key_w_fix nimclient 4.1.0.21 IJ56113m4a.251112.epkg.Z key_w_fix nimclient 4.1.0.30 IJ56113m4a.251112.epkg.Z key_w_fix nimclient 4.1.1.0 IJ55897m1a.251112.epkg.Z key_w_fix nimclient 4.1.1.10 IJ55897m1a.251112.epkg.Z key_w_fix nimclient For NIM Server: AIX Level Interim Fix (*.Z) KEY PRODUCT(S) --------------------------------------------------------- 7.2.5.8 IJ55968mAb.251112.epkg.Z key_w_fix nimserver 7.2.5.9 IJ55968mAb.251112.epkg.Z key_w_fix nimserver 7.2.5.10 IJ55968mAb.251112.epkg.Z key_w_fix nimserver 7.3.1.3 IJ56230m4b.251112.epkg.Z key_w_fix nimserver 7.3.1.4 IJ56230m4b.251112.epkg.Z key_w_fix nimserver 7.3.2.2 IJ56113m4b.251112.epkg.Z key_w_fix nimserver 7.3.2.3 IJ56113m4b.251112.epkg.Z key_w_fix nimserver 7.3.2.4 IJ56113m4b.251112.epkg.Z key_w_fix nimserver 7.3.3.0 IJ55897m1b.251112.epkg.Z key_w_fix nimserver 7.3.3.1 IJ55897m1b.251112.epkg.Z key_w_fix nimserver Please note that the above table refers to AIX TL/SP level as opposed to fileset level, i.e., 7.2.5.8 is AIX 7200-05-08. Please reference the Affected Products and Version section above for help with checking installed fileset levels. To extract the fixes from the tar file: tar xvf nim_fix2.tar cd nim_fix2 Verify you have retrieved the fixes intact: The checksums below were generated using the "openssl dgst -sha256 [filename]" command as the following: openssl dgst -sha256 filename KEY ----------------------------------------------------------------------------------------------------- 7343a01b01318aa23ced4cdb35a0bf282a796bfb3ee9be9479c81899dc42256b IJ55897m1a.251112.epkg.Z key_w_csum 872fbc5ca244c0de5ca7643fbc602e04a41c9361eba5b6329ad80c2cd0e73d9a IJ55897m1b.251112.epkg.Z key_w_csum ce611e38fdb518142f4dbdaae5bba25978ce1621c05fd35adeb5d8bd340a56e8 IJ55968mAa.251112.epkg.Z key_w_csum 60723bd8f893c405070052aa7d2c84700040f6f4bc115f7c3ccfdba88ff8ac57 IJ55968mAb.251112.epkg.Z key_w_csum 4c50ebcda59046e99dae885400ccb40818d61ba4831d7a741350374647d9113b IJ56113m4a.251112.epkg.Z key_w_csum 08f13b8caf9147fe4652729d954adbb4378ec860998f118cfba91fab4a7848ca IJ56113m4b.251112.epkg.Z key_w_csum a918bb4b97f550ae0ea6a35f5ce86751ba236dd6307f913f387671ff76ee95e6 IJ56230m4a.251112.epkg.Z key_w_csum bdbe11a9dc23023d78c42a9b706cca8118c2986a291d516674873d6e9f462873 IJ56230m4b.251112.epkg.Z key_w_csum The checksums below were generated using the "openssl dgst -sha512 [filename]" command as the following: openssl dgst -sha512 filename ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ 8cf88aa6eaa87ee4b78d837e68b526d8195981d8348e42579442234eaf89ad84014be955586ef9b1aadb1b7514ed5cc1827fac05fa2c7e68fe05f15c8fb94b56 IJ55897m1a.251112.epkg.Z key_4K_w_csum 1bdaadc876e71cff357c6eb995648f6a38f90ce409c508cb79f3222c2a973b6d396ce2598dc21997833c2dfb9ee43cf6e8cb365a8b32f0c6e5474d16ccdafa2c IJ55897m1b.251112.epkg.Z key_4K_w_csum 039f7aedd60821aae965e703efda621352fdad01a520d550aff242e7741519a1068184161981a86765c7d1f21dec44109a46f8444850500b87ac37c184212fc9 IJ55968mAa.251112.epkg.Z key_4K_w_csum 504c950a6a7b7b59108ad850eebeb0fca50c785df78a95459576214175e20487d45e711e5c1e14185d0677b33d368da43da6e6804365d787d8531e1107f8883f IJ55968mAb.251112.epkg.Z key_4K_w_csum bb98270316475b44d084d9649139308234b6d40daa330127b80057e36980da8c88419e4f7ee95b4c67747de7e593b09116bf1e0c5c7095d5703dad9f8e0be996 IJ56113m4a.251112.epkg.Z key_4K_w_csum 4c9a1e120e6e5125559a52e0b0b096a7d2a62c8930e2a30cfda86a85429006bfa3808c05301fcc65b7f17bd88e5ba173be93d50474052bb1803f717911b09b49 IJ56113m4b.251112.epkg.Z key_4K_w_csum 252f612b86d5682751cbdc83c0f861899c73e45807762f2d8c3309f2380fbf291edc17ca505cd7ab9acce2af5c51bb4d40de764291c47ee6fae31a354ad141ca IJ56230m4a.251112.epkg.Z key_4K_w_csum 2e4c08410754d794b36d4eff8a4f71eded7f6bbd8517317a4cd5c9b16fd8152f1ee57e83e9900703aebb80fc78b2ea6f5f5b9551c4b67fe1a053671fb7296e2e IJ56230m4b.251112.epkg.Z key_4K_w_csum These sums should match exactly. The OpenSSL signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM Support at http://ibm.com/support/ and describe the discrepancy. openssl dgst -sha256 -verify [pubkey_file] -signature [advisory_file].sig [advisory_file] openssl dgst -sha256 -verify [pubkey_file] -signature [ifix_file].sig [ifix_file] Published advisory OpenSSL signature file location: https://aix.software.ibm.com/aix/efixes/security/nim_advisory2.asc.sig C. FIX AND INTERIM FIX INSTALLATION NOTE: To help with enabling the fix, a README file is provided in the tar file. If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. To preview a fix installation: installp -a -d fix_name -p all # where fix_name is the name of the # fix package being previewed. To install a fix package: installp -a -d fix_name -X all # where fix_name is the name of the # fix package being installed. Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; however, IBM does fully support them. Interim fix management documentation can be found at: https://www.ibm.com/support/pages/managing-interim-fixes-aix To preview an interim fix installation: emgr -e ipkg_name -p # where ipkg_name is the name of the # interim fix package being previewed. To install an interim fix package: emgr -e ipkg_name -X # where ipkg_name is the name of the # interim fix package being installed. WORKAROUNDS AND MITIGATIONS: None. =============================================================================== CONTACT US: Note: Keywords labeled as KEY in this document are used for parsing purposes. If you would like to receive AIX Security Advisories via email, please visit "My Notifications": http://www.ibm.com/support/mynotifications Contact IBM Support for questions related to this announcement: https://ibm.com/support/ For information on how to securely verify AIX security bulletins and fixes: https://www.ibm.com/support/pages/node/6985269 To obtain the OpenSSL public key that can be used to verify the signed advisories and ifixes: Download the key from our web page: https://aix.software.ibm.com/aix/efixes/security/systems_p_os_aix_security_pubkey.txt To verify the AIX/VIOS security bulletin: Published advisory OpenSSL signature file location: https://aix.software.ibm.com/aix/efixes/security/nim_advisory2.asc.sig openssl dgst -sha256 -verify [pubkey_file] -signature [advisory_file].sig [advisory_file] Please contact your local IBM AIX support center for any assistance. REFERENCES: Complete CVSS v3 Guide: http://www.first.org/cvss/user-guide On-line Calculator v3: http://www.first.org/cvss/calculator/3.0 RELATED INFORMATION: IBM Secure Engineering Web Portal http://www.ibm.com/security/secure-engineering/bulletins.html IBM Product Security Incident Response Blog https://www.ibm.com/blogs/psirt/ Security Bulletin: AIX is vulnerable to arbitrary command execution (CVE-2025-36251, CVE-2025-36250), insufficiently protected credentials (CVE-2025-36096), and path traversal (CVE-2025-36236) https://www.ibm.com/support/pages/node/7251173 ACKNOWLEDGEMENTS: The vulnerabilities were reported to IBM by Oneconsult AG (https://oneconsult.com/), Jan Alsenz. CHANGE HISTORY: First Issued: Thu Nov 13 14:12:55 CST 2025 =============================================================================== *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.