SB2025112104 - Multiple vulnerabilities in IBM Power HMC

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025112104

SB2025112104 - Multiple vulnerabilities in IBM Power HMC

Published: November 21, 2025 Updated: March 13, 2026

Security Bulletin ID SB2025112104
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 10
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 90% Low 10%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 10 vulnerabilities.


1) Input validation error (CVE-ID: CVE-2025-52434)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when handling HTTP/2 requests with APR/Native. A remote attacker can send specially crafted HTTP requests to the server and perform a denial of service (DoS) attack.


2) Resource exhaustion (CVE-ID: CVE-2025-48989)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling HTTP/2 requests. A remote attacker can send specially crafted HTTP request to the web server and consume all available memory resources, leading to a denial of service. 

Note, this vulnerability is known as HTTP/2 Made You Reset Attack.


3) Resource management error (CVE-ID: CVE-2025-52520)

CWE-ID: CWE-399 - Resource Management Errors

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to overflow in file upload limit. A remote attacker can send specially crafted requests to the server and perform a denial of service (DoS) attack.


4) Resource exhaustion (CVE-ID: CVE-2025-53506)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling excessive HTTP/2 streams. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


5) Session Fixation (CVE-ID: CVE-2025-55668)

CWE-ID: CWE-384 - Session Fixation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to session fixation. A remote attacker can trick the victim into opening a specially crafted request to gain unauthorized access to sensitive information on the system.


6) Improper Protection of Alternate Path (CVE-ID: CVE-2025-49125)

CWE-ID: CWE-424 - Improper Protection of Alternate Path

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to improper access restrictions when using PreResources or PostResources mounted other than at the root of the web application. A remote attacker can bypass configured security rules using a alternate path and gain unauthorized access to the application. 


7) Resource exhaustion (CVE-ID: CVE-2025-48988)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling multipart requests. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


8) Improper handling of case sensitivity (CVE-ID: CVE-2025-46701)

CWE-ID: CWE-178 - Improper Handling of Case Sensitivity

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear


The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to an error when handling URLs on a case insensitive filesystem with security constraints configured for the <code>pathInfo</code> component of a URL that mapped to the CGI servlet. A remote attacker can bypass imposed security constraints via a specially crafted URL.


9) Input validation error (CVE-ID: CVE-2025-31651)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Green


The vulnerability allows a remote attacker to bypass rewrite rules.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted input to the application and bypass configured rewrite rules.


10) Improper error handling (CVE-ID: CVE-2025-31650)

CWE-ID: CWE-388 - Error Handling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient error handling for certain invalid HTTP priority headers. A remote attacker can send a large amount of specially crafted HTTP requests to the server and consume all available memory, resulting in a denial of service condition.


Remediation

Install update from vendor's website.

References