CVE-2025-36100
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-07

Last updated on: 2025-12-19

Assigner: IBM Corporation

Description
IBM MQ LTS 9.1.0.0 through 9.1.0.29, 9.2.0.0 through 9.2.0.36, 9.3.0.0 through 9.3.0.30 and 9.4.0.0 through 9.4.0.12 and IBM MQ CD 9.3.0.0 through 9.3.5.1 and 9.4.0.0 through 9.4.3.0Β  Java and JMS stores a password in client configuration files when trace is enabled which can be read by a local user.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-07
Last Modified
2025-12-19
Generated
2026-06-16
AI Q&A
2025-09-07
EPSS Evaluated
2026-06-15
NVD
CVE-2025-36100
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
ibm mq From 9.1.0.0 (inc) to 9.1.0.31 (exc)
ibm mq From 9.2.0.0 (inc) to 9.2.0.37 (exc)
ibm mq From 9.3.0.0 (inc) to 9.3.0.31 (exc)
ibm mq From 9.3.0.0 (inc) to 9.3.5.1 (inc)
ibm mq From 9.4.0.0 (inc) to 9.4.0.15 (exc)
ibm mq From 9.4.0.0 (inc) to 9.4.3.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-260 The product stores a password in a configuration file that might be accessible to actors who do not know the password.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in IBM MQ Java and JMS components causes passwords to be stored in plaintext within client configuration files when tracing is enabled. This allows a local user to read these passwords, potentially exposing sensitive credentials. [1]

Impact Analysis

The vulnerability can lead to local password disclosure, allowing unauthorized local users to access sensitive credentials stored in configuration files. This could compromise system availability and security, as attackers might use the disclosed passwords to disrupt services or gain further access. [1]

Mitigation Strategies

To mitigate this vulnerability, you should promptly apply the specific cumulative security updates or fix packs for your IBM MQ version as follows: update IBM MQ 9.1 LTS to 9.1.0.31, IBM MQ 9.2 LTS to 9.2.0.37, IBM MQ 9.3 LTS to 9.3.0.31, IBM MQ 9.4 LTS to 9.4.0.15, and upgrade IBM MQ 9.3 CD and 9.4 CD to version 9.4.3.1. No workarounds or alternative mitigations are provided, so applying these updates is essential to prevent local password disclosure risks. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-36100. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart