IBM has disclosed critical vulnerabilities in its AIX operating system that enable remote attackers to execute arbitrary commands, steal sensitive keys, and manipulate files, posing severe risks to enterprise environments.
These flaws, tracked as CVE-2025-36251, CVE-2025-36250, CVE-2025-36096, and CVE-2025-36236, affect Network Installation Manager (NIM) services and require immediate patching for systems with network exposure.
The vulnerabilities stem from improper process controls and insecure credential handling in AIX’s NIM components, which manage system installations and network-based updates.
Attackers need only network access to the target host, making these issues highly exploitable in unpatched setups.
For instance, the Nimsh service in AIX handles SSL/TLS communications for NIM clients. However, flaws allow bypassing protections to run unauthorized commands.
Similarly, the nimesis service on NIM servers fails to limit processes, enabling complete system compromise without authentication.
These build on earlier fixes for CVE-2024-56346 and CVE-2024-56347, addressing new attack paths discovered by researchers.
Vulnerability Breakdown
The four CVEs highlight interconnected risks in AIX’s remote management tools, with CVSS scores indicating critical severity.
Below is a table summarizing the key details:
| CVE ID | Description | CWE Category | CVSS Base Score |
|---|---|---|---|
| CVE-2025-36251 | Improper process controls in nimsh SSL/TLS allow remote arbitrary command execution. | CWE-114: Process Control | 9.6 |
| CVE-2025-36250 | Flawed nimesis service enables unauthenticated remote command execution. | CWE-114: Process Control | 10.0 |
| CVE-2025-36096 | Insecure storage of NIM private keys vulnerable to man-in-the-middle theft. | CWE-522: Insufficiently Protected Credentials | 9.0 |
| CVE-2025-36236 | Path traversal in nimesis allows arbitrary file writes via crafted URLs. | CWE-22: Path Traversal | 8.2 |
This table draws on IBM’s official assessment, which assigns a perfect 10.0 score to CVE-2025-36250, underscoring its potential as a network-only, no-interaction exploit.
Exploitation could lead to full root access, data exfiltration, or lateral movement in enterprise networks, especially in virtualized setups using VIOS.
The flaws were reported by Oneconsult AG, underscoring the need for secure NIM configurations, such as SSL/TLS mode, to mitigate risks.
Affected Systems and Fixes
These vulnerabilities affect AIX versions 7.2 and 7.3, as well as VIOS 3.1 and 4.1, specifically the filesets bos.sysmgt.nim.client, bos.sysmgt.nim.master, and bos. sysmgt. sysbr up to certain levels.
Administrators can check installations with the lslhe lslpp -L | grep -i bos. sysmgt.nim client command.
IBM provides interim fixes in a tar file at aix.software.ibm.com/aix/efixes/security/nim_fix2.tar, including APARs such as IJ55968 for AIX 7.2.5.
To remediate, first enable NIM secure mode with nimconfig -c, then apply fixes using installp or emgr tools after backing up the system.
Verify downloads with provided SHA-256 checksums, such as 7343a01b01318aa23ced4cdb35a0bf282a796bfb3ee9be9479c81899dc42256b for IJ55897m1a.251112.epkg.Z.
Organizations should subscribe to IBM’s notifications for updates and test patches in staging environments to avoid disruptions.
With no known exploits yet, swift action prevents potential breaches in critical infrastructure.
Overall, these issues highlight the importance of timely updates for legacy Unix-like systems in modern networks.
