CVE-2025-36363
Received Received - Intake
Inadequate Account Lockout in IBM DevOps Plan Enables Brute Force

Publication date: 2026-03-03

Last updated on: 2026-03-04

Assigner: IBM Corporation

Description
IBM DevOps Plan 3.0.0 through 3.0.5 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-03
Last Modified
2026-03-04
Generated
2026-06-16
AI Q&A
2026-03-03
EPSS Evaluated
2026-06-15
NVD
CVE-2025-36363
EUVD
EUVD-2025-208254
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ibm devops_plan From 3.0.0 (inc) to 3.0.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability, identified as CVE-2025-36363, exists in IBM DevOps Plan versions 3.0.0 through 3.0.5. It is caused by inadequate account lockout settings that fail to properly restrict excessive authentication attempts.

Because of this flaw, a remote attacker can perform brute force attacks to guess account credentials without being locked out after multiple failed attempts.

The vulnerability is classified under CWE-307: Improper Restriction of Excessive Authentication Attempts and has a medium severity score of 5.9 according to CVSS version 3.1.

Impact Analysis

This vulnerability allows a remote attacker to repeatedly attempt to guess account credentials through brute force attacks due to the lack of adequate account lockout mechanisms.

If successful, the attacker could gain unauthorized access to accounts, leading to a high confidentiality impact since sensitive information could be exposed.

However, the vulnerability does not impact integrity or availability, and it requires high attack complexity and no privileges or user interaction.

Compliance Impact

I don't know

Detection Guidance

The vulnerability arises from inadequate account lockout settings that allow brute force attacks on IBM DevOps Plan versions 3.0.0 through 3.0.5.

No specific detection commands or methods are provided in the available resources.

Mitigation Strategies

The recommended remediation is to upgrade IBM DevOps Plan to version 3.0.6, which addresses this security issue.

No workarounds or alternative mitigations are provided.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-36363. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart