SB2025102726 - Multiple vulnerabilities in IBM Control Center

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025102726

SB2025102726 - Multiple vulnerabilities in IBM Control Center

Published: October 27, 2025

Security Bulletin ID SB2025102726
Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 67% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Missing authorization (CVE-ID: CVE-2025-22235)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an error in EndpointRequest.to() implementation. The function creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. A remote non-authenticated attacker can gain unauthorized access to the application.


2) Security features bypass (CVE-ID: CVE-2025-22228)

The vulnerability allows a remote attacker to gain unauthorized access to the application.

The vulnerability exists due to BCryptPasswordEncoder does not properly enforce maximum password length and will return "true" for passwords larger than 72 characters as long as the first 72 characters are the same. This can be used set weak passwords that can be easily brute-forced.


3) Improper Authorization (CVE-ID: CVE-2024-38821)

The vulnerability allows a remote attacker to bypass authorization.

The vulnerability exists due to improper implementation of authorization checks when accessing static resources in WebFlux application. A remote non-authenticated attacker can bypass authorization process and gain unauthorized access to the application.


Remediation

Install update from vendor's website.

References