CVE-2025-36107
BaseFortify
Publication date: 2025-07-21
Last updated on: 2025-08-07
Assigner: IBM Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ibm | cognos_analytics_mobile | From 1.1.0 (inc) to 1.1.23 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-319 | The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-36107 is a vulnerability in IBM Cognos Analytics Mobile (iOS) versions 1.1.0 through 1.1.22 where sensitive information can be intercepted by malicious actors because the app transmits data in cleartext over the network. This means that confidential data is not properly encrypted during transmission, allowing attackers to potentially obtain this information. The vulnerability is classified under CWE-319 (Cleartext Transmission of Sensitive Information) and has a CVSS score of 5.9, indicating a moderate severity with high confidentiality impact but no impact on integrity or availability. [1]
How can this vulnerability impact me? :
This vulnerability can lead to the exposure of sensitive and confidential information transmitted by IBM Cognos Analytics Mobile (iOS) to unauthorized parties if they intercept the network traffic. Since the data is sent in cleartext, attackers on the same network or with network access could capture this information, potentially leading to data breaches or leakage of confidential business data. The vulnerability does not affect data integrity or availability but poses a significant confidentiality risk. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves cleartext transmission of sensitive information by IBM Cognos Analytics Mobile (iOS) versions 1.1.0 through 1.1.22. Detection can be performed by monitoring network traffic for unencrypted sensitive data being transmitted by the application. Network packet capture tools like Wireshark or tcpdump can be used to inspect traffic from the device running the affected app. For example, using tcpdump on a network interface to capture traffic to/from the iOS device and filtering for HTTP or other unencrypted protocols may reveal sensitive data in cleartext. Specific commands could include: tcpdump -i <interface> host <device_ip> -w capture.pcap, followed by analysis in Wireshark to look for unencrypted sensitive information. However, no explicit detection commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to upgrade IBM Cognos Analytics Mobile (iOS) to version 1.1.23 or later, where this vulnerability is resolved. IBM strongly recommends prompt updating to the fixed version. No workarounds or other mitigations are available. [1]