Vulnerabilities in the IBM AIX operating system for Power servers could allow remote attackers to execute arbitrary commands, obtain Network Installation Manager (NIM) private keys, or traverse directories.
IBM flagged the vulnerabilities – three critical and one high-severity – in a new security bulletin, and security firm Mondoo also urged AIX users to mitigate the flaws in a blog post.
While there has been no evidence of exploitation as of yet, Mondoo warns the vulnerabilities could be chained together to compromise the critical environments that typically rely on IBM Power systems, like financial services and healthcare.
“These four vulnerabilities together present a very serious threat, especially in environments where the NIM infrastructure is exposed,” Mondoo said.
IBM AIX Vulnerability CVE-2025-36250 Rated 10.0
The highest-rated vulnerability is CVE-2025-36250, which scored a perfect 10.0.
In IBM AIX 7.2 and 7.3 and IBM VIOS (Virtual I/O Server) 3.1 and 4.1, NIM server (formerly known as NIM master) service (nimesis) could allow a remote attacker to execute arbitrary commands due to improper process controls. The fix issued by IBM “addresses additional attack vectors for a vulnerability that was previously addressed” as CVE-2024-56346, which was also rated 10.0.
CVE-2025-36251, rated 9.6, also affects IBM AIX 7.2 and 7.3 and IBM VIOS 3.1 and 4.1. IBM notes that nimsh service SSL/TLS implementations could allow a remote attacker to execute arbitrary commands due to improper process controls. The fix also addresses additional attack vectors for a previous vulnerability, CVE-2024-56347, which was also rated 9.6.
CVE-2025-36096, rated 9.0, notes that AIX 7.2 and 7.3 and IBM VIOS 3.1 and 4.1 store NIM private keys used in NIM environments “in an insecure way which is susceptible to unauthorized access by an attacker using man in the middle techniques.”
CVE-2025-36236, rated 8.2, also affects AIX 7.2 and 7.3 and IBM VIOS 3.1 and 4.1. The NIM server service could allow a remote attacker to traverse system directories or send a specially crafted URL request to write arbitrary files on the system.
IBM credited Jan Alsenz of Oneconsult AG for the discoveries.
IBM AIX Vulnerabilities Could Allow System ‘Hijack’
In a statement shared with The Cyber Express, Mondoo CSO Patrick Münch said the four vulnerabilities “present a very serious threat because they allow a remote attacker with no privileges to perform arbitrary commands on an IBM Network Installation Manager (NIM) that’s exposed to the internet (which NIM servers typically are). This means that they could ‘hijack’ unattended operating system installations and updates to deploy malicious payloads onto AIX hosts, move laterally, and persist in the broader environment.”
Münch noted that because of their critical nature, “Patch cycles are often delayed on IBM AIX because uptime is so critical for these enterprises. We haven’t seen any reports of active exploitation yet, but due to the high risk of these vulnerabilities, we strongly advise organizations to patch immediately.”
IBM provided lengthy mitigation instructions, and Mondoo said affected organizations should configure NIM in SSL/TLS Secure mode (nimconfig -c) and apply the fixes, which can be downloaded via https from: https://aix.software.ibm.com/aix/efixes/security/nim_fix2.tar, which downloads a tar file that contains the advisory, fix packages, and OpenSSL signatures for each package.
