Refine your search
2 vulnerabilities found for DS8A00( R10.1) by IBM
CVE-2025-36192 (GCVE-0-2025-36192)
Vulnerability from nvd
Published
2025-12-26 13:58
Modified
2025-12-26 15:15
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
IBM DS8A00( R10.1) 10.10.106.0 and IBM DS8A00 ( R10.0) 10.1.3.010.2.45.0 and IBM DS8900F ( R9.4) 89.40.83.089.42.18.089.44.5.0 IBM System Storage DS8000 could allow a local user with authorized CCW update permissions to delete or corrupt backups due to missing authorization in IBM Safeguarded Copy / GDPS Logical corruption protection mechanisms.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| IBM | DS8A00( R10.1) |
Version: 10.10.106.0 ≤ cpe:2.3:o:ibm:ds8900f_firmware:89.40.83.0:*:*:*:*:*:*:* cpe:2.3:o:ibm:ds8900f_firmware:89.44.5.0:*:*:*:*:*:*:* cpe:2.3:o:ibm:ds8900f_firmware:89.42.18.0:*:*:*:*:*:*:* cpe:2.3:o:ibm:ds8900f_firmware:10.2.45.0:*:*:*:*:*:*:* cpe:2.3:o:ibm:ds8900f_firmware:10.10.106.0:*:*:*:*:*:*:* cpe:2.3:o:ibm:ds8900f_firmware:10.1.3.0:*:*:*:*:*:*:* |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36192",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-26T15:12:54.252892Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T15:15:11.888Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:o:ibm:ds8900f_firmware:89.40.83.0:*:*:*:*:*:*:*",
"cpe:2.3:o:ibm:ds8900f_firmware:89.44.5.0:*:*:*:*:*:*:*",
"cpe:2.3:o:ibm:ds8900f_firmware:89.42.18.0:*:*:*:*:*:*:*",
"cpe:2.3:o:ibm:ds8900f_firmware:10.2.45.0:*:*:*:*:*:*:*",
"cpe:2.3:o:ibm:ds8900f_firmware:10.10.106.0:*:*:*:*:*:*:*",
"cpe:2.3:o:ibm:ds8900f_firmware:10.1.3.0:*:*:*:*:*:*:*"
],
"product": "DS8A00( R10.1)",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "10.10.106.0",
"versionType": "semver"
}
]
},
{
"product": "DS8A00 ( R10.0)",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "10.1.3.0"
},
{
"status": "affected",
"version": "10.2.45.0"
}
]
},
{
"product": "DS8900F ( R9.4)",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "89.40.83.0"
},
{
"status": "affected",
"version": "89.42.18.0"
},
{
"status": "affected",
"version": "89.44.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM DS8A00( R10.1) 10.10.106.0 and IBM DS8A00 ( R10.0) 10.1.3.010.2.45.0 and IBM DS8900F ( R9.4) 89.40.83.089.42.18.089.44.5.0 IBM System Storage DS8000 could allow a local user with authorized CCW update permissions to delete or corrupt backups due to missing authorization in IBM Safeguarded Copy / GDPS Logical corruption protection mechanisms.\u003c/p\u003e"
}
],
"value": "IBM DS8A00( R10.1) 10.10.106.0 and IBM DS8A00 ( R10.0) 10.1.3.010.2.45.0 and IBM DS8900F ( R9.4) 89.40.83.089.42.18.089.44.5.0 IBM System Storage DS8000 could allow a local user with authorized CCW update permissions to delete or corrupt backups due to missing authorization in IBM Safeguarded Copy / GDPS Logical corruption protection mechanisms."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T14:00:21.658Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7255039"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cdiv\u003eDS8A00 fixes are delivered in Microcode Bundle 10.11.30.0 R10.1.1\u003c/div\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv\u003eDS8900F fixes are delivered in Microcode Bundle 89.44.17.0 R9.4 SP4.2\u003c/div\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDS8A00 customers should either schedule Remote Code Load (RCL) via \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/ibm-remote-code-load\"\u003ehttps://www.ibm.com/support/pages/ibm-remote-code-load\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;or contact IBM support, and request that 10.11.30.0 be applied to their systems.\u003c/span\u003e\u003cp\u003eDS8900F customers should either schedule Remote Code Load (RCL) via \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/ibm-remote-code-load\"\u003ehttps://www.ibm.com/support/pages/ibm-remote-code-load\u003c/a\u003e\u0026nbsp;or contact IBM support, and request that 89.44.17.0 be applied to their systems.\u003c/p\u003e\u003cp\u003eICS Installation Guidelines:\u003c/p\u003e\u003cp\u003eThe ICS(es) listed below remediate critical severity vulnerabilities\u003c/p\u003e\u003cp\u003ea) ICS CVE_4Q2025_v1.0.iso includes remediation for CVE-2024-52533 , CVE-2025-49796 , CVE-2025-49794 and is available for DS8900F and DS8A00.\u003c/p\u003e\u003cp\u003eb) ICS CVE_4Q2025_v1.1.iso includes remediation for CVE-2025-23048 and is available for DS8900F and DS8A00.\u003c/p\u003e\u003cp\u003eDS8900Fsystem with R9.4 LIC bundle but below 89.44.17.0 or DS8A00 with R10.0 LIC bundle but below 10.11.30.0 are recommended to install both of the above mentioned ICS(es). Customers should should either contact Remote Code Load (RCL) via \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/ibm-remote-code-load\"\u003ehttps://www.ibm.com/support/pages/ibm-remote-code-load\u003c/a\u003e\u0026nbsp;or contact IBM support to load the above mentioned ICS(es).\u003c/p\u003e\u003cp\u003eNote: The above ICS(es) are not supported for DS8900F with LIC bundle below R9.4.\u003c/p\u003e\u003cp\u003eCustomers should either contact Remote Code Load (RCL) via \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/ibm-remote-code-load\"\u003ehttps://www.ibm.com/support/pages/ibm-remote-code-load\u003c/a\u003e\u0026nbsp;or contact IBM support to load the recommended or latest LIC bundle on the DS8900F system.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "DS8A00 fixes are delivered in Microcode Bundle 10.11.30.0 R10.1.1\n\n\u00a0\n\nDS8900F fixes are delivered in Microcode Bundle 89.44.17.0 R9.4 SP4.2\n\n\u00a0\n\nDS8A00 customers should either schedule Remote Code Load (RCL) via https://www.ibm.com/support/pages/ibm-remote-code-load \u00a0or contact IBM support, and request that 10.11.30.0 be applied to their systems.DS8900F customers should either schedule Remote Code Load (RCL) via https://www.ibm.com/support/pages/ibm-remote-code-load \u00a0or contact IBM support, and request that 89.44.17.0 be applied to their systems.\n\nICS Installation Guidelines:\n\nThe ICS(es) listed below remediate critical severity vulnerabilities\n\na) ICS CVE_4Q2025_v1.0.iso includes remediation for CVE-2024-52533 , CVE-2025-49796 , CVE-2025-49794 and is available for DS8900F and DS8A00.\n\nb) ICS CVE_4Q2025_v1.1.iso includes remediation for CVE-2025-23048 and is available for DS8900F and DS8A00.\n\nDS8900Fsystem with R9.4 LIC bundle but below 89.44.17.0 or DS8A00 with R10.0 LIC bundle but below 10.11.30.0 are recommended to install both of the above mentioned ICS(es). Customers should should either contact Remote Code Load (RCL) via https://www.ibm.com/support/pages/ibm-remote-code-load \u00a0or contact IBM support to load the above mentioned ICS(es).\n\nNote: The above ICS(es) are not supported for DS8900F with LIC bundle below R9.4.\n\nCustomers should either contact Remote Code Load (RCL) via https://www.ibm.com/support/pages/ibm-remote-code-load \u00a0or contact IBM support to load the recommended or latest LIC bundle on the DS8900F system."
}
],
"title": "Missing Authorization with the DS8900F and DS8A00 Hardware Management Console",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDS8900F and DS8A00 commonly known as DS8K is installed in client data center and clients control access to the system. DS8K offers multiple security features like LDAP, Multi-factor authentication, audit logging etc., that allows clients to control and audit personnel access to their DS8K. In addition, DS8K has implemented IBM approved challenge-response system to control IBM service personnel accessing the system either locally or remotely.\u003c/p\u003e\u003cp\u003eSo, a malicious attacker must meticulously bypass multiple layers of authentication by exploiting known open-source vulnerabilities to gain access to DS8K. The first step would be gaining access through the client infrastructure. While the issue must be mitigated at the earliest, it doesn\u2019t pose an immediate vulnerability due to existing access controls implemented in DS8K.\u003c/p\u003e\u003cp\u003eIn addition, DS8K supports deployment of code fixes either via remote code load process or locally by IBM personnel. DS8K clients can deploy code fixes too.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "DS8900F and DS8A00 commonly known as DS8K is installed in client data center and clients control access to the system. DS8K offers multiple security features like LDAP, Multi-factor authentication, audit logging etc., that allows clients to control and audit personnel access to their DS8K. In addition, DS8K has implemented IBM approved challenge-response system to control IBM service personnel accessing the system either locally or remotely.\n\nSo, a malicious attacker must meticulously bypass multiple layers of authentication by exploiting known open-source vulnerabilities to gain access to DS8K. The first step would be gaining access through the client infrastructure. While the issue must be mitigated at the earliest, it doesn\u2019t pose an immediate vulnerability due to existing access controls implemented in DS8K.\n\nIn addition, DS8K supports deployment of code fixes either via remote code load process or locally by IBM personnel. DS8K clients can deploy code fixes too."
}
],
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36192",
"datePublished": "2025-12-26T13:58:51.713Z",
"dateReserved": "2025-04-15T21:16:24.268Z",
"dateUpdated": "2025-12-26T15:15:11.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36192 (GCVE-0-2025-36192)
Vulnerability from cvelistv5
Published
2025-12-26 13:58
Modified
2025-12-26 15:15
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
IBM DS8A00( R10.1) 10.10.106.0 and IBM DS8A00 ( R10.0) 10.1.3.010.2.45.0 and IBM DS8900F ( R9.4) 89.40.83.089.42.18.089.44.5.0 IBM System Storage DS8000 could allow a local user with authorized CCW update permissions to delete or corrupt backups due to missing authorization in IBM Safeguarded Copy / GDPS Logical corruption protection mechanisms.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| IBM | DS8A00( R10.1) |
Version: 10.10.106.0 ≤ cpe:2.3:o:ibm:ds8900f_firmware:89.40.83.0:*:*:*:*:*:*:* cpe:2.3:o:ibm:ds8900f_firmware:89.44.5.0:*:*:*:*:*:*:* cpe:2.3:o:ibm:ds8900f_firmware:89.42.18.0:*:*:*:*:*:*:* cpe:2.3:o:ibm:ds8900f_firmware:10.2.45.0:*:*:*:*:*:*:* cpe:2.3:o:ibm:ds8900f_firmware:10.10.106.0:*:*:*:*:*:*:* cpe:2.3:o:ibm:ds8900f_firmware:10.1.3.0:*:*:*:*:*:*:* |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36192",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-26T15:12:54.252892Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T15:15:11.888Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:o:ibm:ds8900f_firmware:89.40.83.0:*:*:*:*:*:*:*",
"cpe:2.3:o:ibm:ds8900f_firmware:89.44.5.0:*:*:*:*:*:*:*",
"cpe:2.3:o:ibm:ds8900f_firmware:89.42.18.0:*:*:*:*:*:*:*",
"cpe:2.3:o:ibm:ds8900f_firmware:10.2.45.0:*:*:*:*:*:*:*",
"cpe:2.3:o:ibm:ds8900f_firmware:10.10.106.0:*:*:*:*:*:*:*",
"cpe:2.3:o:ibm:ds8900f_firmware:10.1.3.0:*:*:*:*:*:*:*"
],
"product": "DS8A00( R10.1)",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "10.10.106.0",
"versionType": "semver"
}
]
},
{
"product": "DS8A00 ( R10.0)",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "10.1.3.0"
},
{
"status": "affected",
"version": "10.2.45.0"
}
]
},
{
"product": "DS8900F ( R9.4)",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "89.40.83.0"
},
{
"status": "affected",
"version": "89.42.18.0"
},
{
"status": "affected",
"version": "89.44.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM DS8A00( R10.1) 10.10.106.0 and IBM DS8A00 ( R10.0) 10.1.3.010.2.45.0 and IBM DS8900F ( R9.4) 89.40.83.089.42.18.089.44.5.0 IBM System Storage DS8000 could allow a local user with authorized CCW update permissions to delete or corrupt backups due to missing authorization in IBM Safeguarded Copy / GDPS Logical corruption protection mechanisms.\u003c/p\u003e"
}
],
"value": "IBM DS8A00( R10.1) 10.10.106.0 and IBM DS8A00 ( R10.0) 10.1.3.010.2.45.0 and IBM DS8900F ( R9.4) 89.40.83.089.42.18.089.44.5.0 IBM System Storage DS8000 could allow a local user with authorized CCW update permissions to delete or corrupt backups due to missing authorization in IBM Safeguarded Copy / GDPS Logical corruption protection mechanisms."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T14:00:21.658Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7255039"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cdiv\u003eDS8A00 fixes are delivered in Microcode Bundle 10.11.30.0 R10.1.1\u003c/div\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv\u003eDS8900F fixes are delivered in Microcode Bundle 89.44.17.0 R9.4 SP4.2\u003c/div\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDS8A00 customers should either schedule Remote Code Load (RCL) via \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/ibm-remote-code-load\"\u003ehttps://www.ibm.com/support/pages/ibm-remote-code-load\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;or contact IBM support, and request that 10.11.30.0 be applied to their systems.\u003c/span\u003e\u003cp\u003eDS8900F customers should either schedule Remote Code Load (RCL) via \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/ibm-remote-code-load\"\u003ehttps://www.ibm.com/support/pages/ibm-remote-code-load\u003c/a\u003e\u0026nbsp;or contact IBM support, and request that 89.44.17.0 be applied to their systems.\u003c/p\u003e\u003cp\u003eICS Installation Guidelines:\u003c/p\u003e\u003cp\u003eThe ICS(es) listed below remediate critical severity vulnerabilities\u003c/p\u003e\u003cp\u003ea) ICS CVE_4Q2025_v1.0.iso includes remediation for CVE-2024-52533 , CVE-2025-49796 , CVE-2025-49794 and is available for DS8900F and DS8A00.\u003c/p\u003e\u003cp\u003eb) ICS CVE_4Q2025_v1.1.iso includes remediation for CVE-2025-23048 and is available for DS8900F and DS8A00.\u003c/p\u003e\u003cp\u003eDS8900Fsystem with R9.4 LIC bundle but below 89.44.17.0 or DS8A00 with R10.0 LIC bundle but below 10.11.30.0 are recommended to install both of the above mentioned ICS(es). Customers should should either contact Remote Code Load (RCL) via \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/ibm-remote-code-load\"\u003ehttps://www.ibm.com/support/pages/ibm-remote-code-load\u003c/a\u003e\u0026nbsp;or contact IBM support to load the above mentioned ICS(es).\u003c/p\u003e\u003cp\u003eNote: The above ICS(es) are not supported for DS8900F with LIC bundle below R9.4.\u003c/p\u003e\u003cp\u003eCustomers should either contact Remote Code Load (RCL) via \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/ibm-remote-code-load\"\u003ehttps://www.ibm.com/support/pages/ibm-remote-code-load\u003c/a\u003e\u0026nbsp;or contact IBM support to load the recommended or latest LIC bundle on the DS8900F system.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "DS8A00 fixes are delivered in Microcode Bundle 10.11.30.0 R10.1.1\n\n\u00a0\n\nDS8900F fixes are delivered in Microcode Bundle 89.44.17.0 R9.4 SP4.2\n\n\u00a0\n\nDS8A00 customers should either schedule Remote Code Load (RCL) via https://www.ibm.com/support/pages/ibm-remote-code-load \u00a0or contact IBM support, and request that 10.11.30.0 be applied to their systems.DS8900F customers should either schedule Remote Code Load (RCL) via https://www.ibm.com/support/pages/ibm-remote-code-load \u00a0or contact IBM support, and request that 89.44.17.0 be applied to their systems.\n\nICS Installation Guidelines:\n\nThe ICS(es) listed below remediate critical severity vulnerabilities\n\na) ICS CVE_4Q2025_v1.0.iso includes remediation for CVE-2024-52533 , CVE-2025-49796 , CVE-2025-49794 and is available for DS8900F and DS8A00.\n\nb) ICS CVE_4Q2025_v1.1.iso includes remediation for CVE-2025-23048 and is available for DS8900F and DS8A00.\n\nDS8900Fsystem with R9.4 LIC bundle but below 89.44.17.0 or DS8A00 with R10.0 LIC bundle but below 10.11.30.0 are recommended to install both of the above mentioned ICS(es). Customers should should either contact Remote Code Load (RCL) via https://www.ibm.com/support/pages/ibm-remote-code-load \u00a0or contact IBM support to load the above mentioned ICS(es).\n\nNote: The above ICS(es) are not supported for DS8900F with LIC bundle below R9.4.\n\nCustomers should either contact Remote Code Load (RCL) via https://www.ibm.com/support/pages/ibm-remote-code-load \u00a0or contact IBM support to load the recommended or latest LIC bundle on the DS8900F system."
}
],
"title": "Missing Authorization with the DS8900F and DS8A00 Hardware Management Console",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDS8900F and DS8A00 commonly known as DS8K is installed in client data center and clients control access to the system. DS8K offers multiple security features like LDAP, Multi-factor authentication, audit logging etc., that allows clients to control and audit personnel access to their DS8K. In addition, DS8K has implemented IBM approved challenge-response system to control IBM service personnel accessing the system either locally or remotely.\u003c/p\u003e\u003cp\u003eSo, a malicious attacker must meticulously bypass multiple layers of authentication by exploiting known open-source vulnerabilities to gain access to DS8K. The first step would be gaining access through the client infrastructure. While the issue must be mitigated at the earliest, it doesn\u2019t pose an immediate vulnerability due to existing access controls implemented in DS8K.\u003c/p\u003e\u003cp\u003eIn addition, DS8K supports deployment of code fixes either via remote code load process or locally by IBM personnel. DS8K clients can deploy code fixes too.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "DS8900F and DS8A00 commonly known as DS8K is installed in client data center and clients control access to the system. DS8K offers multiple security features like LDAP, Multi-factor authentication, audit logging etc., that allows clients to control and audit personnel access to their DS8K. In addition, DS8K has implemented IBM approved challenge-response system to control IBM service personnel accessing the system either locally or remotely.\n\nSo, a malicious attacker must meticulously bypass multiple layers of authentication by exploiting known open-source vulnerabilities to gain access to DS8K. The first step would be gaining access through the client infrastructure. While the issue must be mitigated at the earliest, it doesn\u2019t pose an immediate vulnerability due to existing access controls implemented in DS8K.\n\nIn addition, DS8K supports deployment of code fixes either via remote code load process or locally by IBM personnel. DS8K clients can deploy code fixes too."
}
],
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36192",
"datePublished": "2025-12-26T13:58:51.713Z",
"dateReserved": "2025-04-15T21:16:24.268Z",
"dateUpdated": "2025-12-26T15:15:11.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}