Why these AIX vulnerabilities are concerning

These vulnerabilities aren’t only critical because of what they allow attackers to do. What makes them even more concerning is that IBM AIX is widely used in enterprise IT environments in critical sectors such as finance, insurance, retail, and healthcare, where high availability and security are essential. However, securing these AIX systems tends to be challenging because they require specialized skills and many security tools don’t cover these legacy systems - leaving teams to do the heavy manual lifting. In addition, patch cycles are often delayed on IBM AIX because uptime of these systems is so important. 

Although we haven’t seen any reports of active exploitation yet, due to the high risk of these vulnerabilities, we strongly advise organizations to patch immediately.

The four AIX CVEs

The four CVEs published on November 13th affect IBM AIX 7.2 and 7.3, and IBM VIOS 3.1 and 4.1 environments. Patching of all four is urgently advised. 

Below is a breakdown of each CVE:

CVE‑2025‑36250

With a CVSS score of 10 (Critical), this vulnerability is highly critical and affects the NIM service (nimesis, nimsh) by allowing remote arbitrary command execution due to improper process controls. Because this allows remote unauthenticated command execution, the attacker could run commands of their choosing on the target AIX or VIOS system, gain full system control, install malware, create backdoors, move laterally and potentially pivot from the compromised system into other parts of the network. NIM systems exposed to the internet and running the vulnerable service are at immediate risk of compromise. 

CVE‑2025‑36251

This vulnerability is similar to the one above and affects the SSL/TLS implementation in the NIM service (nimesis, nimsh), allowing remote arbitrary command execution through improper process controls. It has a CVSS score of 9.6 (Critical) and could be used by a remote attacker to execute commands on the system via the service, potentially without authentication or with minimal prerequisites. This could lead to a compromise of system integrity, data loss, or service disruption.

CVE‑2025‑36236

This is a path-traversal vulnerability in the NIM service: a remote attacker could send a specially crafted URL request to traverse directories or write arbitrary files on the system. This could allow bad actors to drop malicious payloads in system directories, overwrite or inject into configuration files, or place web shells, thereby facilitating further exploitation. The CVSS score of this CVE is 8.2 (High).

CVE‑2025‑36096

This is a vulnerability in credential storage with a CVSS score of 9 (Critical): the NIM private keys in IBM AIX are stored insecurely and can be accessed by an attacker via man-in-the-middle (MitM) techniques. An attacker intercepting these communications or otherwise gaining access to the private keys could impersonate the NIM server or services or decrypt communications, which could result in system takeover.

The power of combination

These four vulnerabilities together present a very serious threat, especially in environments where the NIM infrastructure is exposed. For example, an attacker could use CVE-2025-36236 to drop a malicious payload onto the system via arbitrary file write, then use CVE-2025-36250 or CVE-2025-36251 to execute commands on the system and gain full access. With full access, the attacker can exploit CVE-2025-36096 to get private keys and impersonate services, move laterally, persist, or compromise the broader environment. Needless to say these vulnerabilities need to be fixed or mitigated immediately.

How to patch the AIX vulnerabilities

Patch your AIX systems following the instructions below. If you cannot patch immediately, limit network access to NIM services (nimesis, nimsh) by restricting access to trusted networks and using firewalls to block unauthenticated traffic.

1. Configure NIM in SSL/TLS Secure mode (nimconfig -c) and apply the fixes provided in the IBM bulletin. The Readme in the tar file includes details on how to configure NIM in secure mode.
2. Apply the IBM updates to AIX and VIOS fixes which can be downloaded via https from: https://aix.software.ibm.com/aix/efixes/security/nim_fix2.tar. The tar file contains the advisory, fix packages, and OpenSSL signatures for each package. For more information, see the IBM Security Bulletin.

Keep an eye out for suspicious activity

If you aren’t able to patch or mitigate immediately, it’s very important to track activity on the AIX servers to detect suspicious behavior as soon as possible. You can do this by:

• Monitoring for unexpected file writes in NIM server directories, unusual command execution, and certificate/private-key anomalies.
• Reviewing existence and usage of NIM private keys; rotate keys if you suspect compromise.
• Ensuring SSL/TLS for nimsh is configured securely with proper process controls for NIM services.

How Mondoo can help

Mondoo utilizes an IBM Power System and AIX-specific agentless scanner to continuously monitor your environments for any vulnerabilities and misconfigurations that could put your systems at risk. This collector allows Mondoo to scan logical partitions (LPARs) and virtualized environments, discovering all IBM Power System and AIX specific services, file systems, vulnerabilities and security configurations. Any vulnerabilities and misconfigurations will be prioritized according to severity, contextual risk factors, and potential business impact.

In addition to detecting issues, Mondoo provides ticketing integrations, as well as guided remediation and pre-tested code snippets that can instantly be applied to fix risks.

Mondoo also provides agentic vulnerability patching that automatically creates remediation pull requests in the Mondoo security pipeline, that platform engineers simply need to review and approve to get the fix applied.

Learn more

Mondoo not only ensures that your critical IBM Power Systems and AIX environments are secure, but also that they stay secure through automated, repeatable processes. Download our solution brief on securing AIX and IBM Power Systems or schedule a demo to see Mondoo in action.