Recent vulnerabilities identified within the IBM AIX operating system for Power servers pose significant security risks, potentially enabling remote attackers to execute arbitrary commands, access Network Installation Manager (NIM) private keys, and traverse directories. IBM has highlighted these concerns in a newly released security bulletin, which outlines three critical and one high-severity vulnerabilities. In addition, security firm Mondoo has called attention to these issues, urging AIX users to take immediate action to mitigate the risks.
Although there have not yet been any reported cases of exploitation, experts at Mondoo caution that these vulnerabilities could be interconnected, potentially leading to severe compromises, particularly for industries such as financial services and healthcare that heavily rely on IBM Power systems. “These four vulnerabilities together present a very serious threat, especially in environments where the NIM infrastructure is exposed,” said Mondoo.
Understanding CVE-2025-36250: A Critical Threat
The most severe vulnerability, CVE-2025-36250, has been assigned a perfect score of 10.0. It impacts IBM AIX versions 7.2 and 7.3, as well as IBM Virtual I/O Server (VIOS) versions 3.1 and 4.1. The NIM server service could allow a remote attacker to execute arbitrary commands due to inadequacies in process controls. IBM’s fix enhances security by addressing additional attack vectors for a related vulnerability, CVE-2024-56346, which was similarly rated 10.0.
Another serious vulnerability, CVE-2025-36251, carries a rating of 9.6. This issue also impacts AIX 7.2 and 7.3 and VIOS 3.1 and 4.1, with the nimsh service’s SSL/TLS implementations being a potential point of exploitation. Like the previous flaw, this fix addresses additional vulnerabilities related to CVE-2024-56347, which is also rated 9.6.
Furthermore, CVE-2025-36096, rated 9.0, exposes AIX 7.2 and 7.3 and VIOS 3.1 and 4.1 by storing NIM private keys insecurely, making them susceptible to unauthorized access through man-in-the-middle attacks. Lastly, CVE-2025-36236, with a severity rating of 8.2, enables attackers to traverse system directories or send specially formatted URL requests that could lead to arbitrary file writing on the system.
IBM has acknowledged Jan Alsenz from Oneconsult AG for discovering these vulnerabilities, highlighting the importance of community participation in cybersecurity.
Potential for System Hijacking
In discussions surrounding the vulnerabilities, Mondoo’s Chief Security Officer, Patrick Münch, emphasized the severe implications: “These vulnerabilities pose a serious threat as they enable any remote attacker with no prior privileges to execute arbitrary commands on an exposed IBM Network Installation Manager (NIM).” He elaborated that compromised NIM servers could lead to unauthorized manipulation of unattended operating system installations and updates, potentially allowing attackers to deploy malicious software onto AIX hosts and move laterally within the network.
Due to the critical nature of these vulnerabilities, properties of uptime often lead to delayed patch cycles on IBM AIX systems. Although no active exploitation has been reported so far, the high-risk nature of these vulnerabilities prompts urgent action from organizations to implement patches immediately. “We strongly advise organizations to patch without delay,” Münch stated.
To aid in this effort, IBM has issued detailed mitigation instructions. Affected organizations should reconfigure NIM to SSL/TLS Secure mode (using nimconfig -c) and apply the necessary fixes. These fixes are accessible for download via a secure link, which provides a tar file containing the advisory, fix packages, and accompanying OpenSSL signatures for each package.
