CVE-2025-36222 — Initialization of a Resource with an Insecure Default in IBM Storage Fusion

CWE-1188 — Initialization of a Resource with an Insecure Default CWE-617 — Reachable Assertion CWE-476 — NULL Pointer Dereference4 documents3 sources

Severity

9.8CRITICALNVD

EPSS

0.0%

top 91.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Storage Fusion IBM Storage Fusion HCI IBM Storage Fusion HCI FOR Watsonx +6 more

Timeline

PublishedSep 11

Description

IBM Fusion 2.2.0 through 2.10.1, IBM Fusion HCI 2.2.0 through 2.10.0, and IBM Fusion HCI for watsonx 2.8.2 through 2.10.0 uses insecure default configurations that could expose AMQStreams without client authentication that could allow an attacker to perform unauthorized actions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages8 packages

▶CVEListV5ibm/fusion_hci_for_watsonx2.8.2 — 2.10.0

▶NVDibm/storage_fusion2.2.0 — 2.11.0

▶NVDibm/storage_fusion_hci2.2.0 — 2.11.0+1

▶CVEListV5ibm/fusion2.2.0 — 2.10.1

▶CVEListV5ibm/fusion_hci2.2.0 — 2.10.0

🔴Vulnerability Details

GHSA

GHSA-g96v-hcqx-rf45: IBM Fusion 2↗2025-09-11

▶

📋Vendor Advisories

Microsoft

ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference a↗2021-07-13

▶

Microsoft

A flaw was discovered in OpenLDAP before 2.4.57 leading to an assertion failure in slapd in the saslAuthzTo validation resulting in denial of service.↗2021-01-12

▶