CVE-2025-36124: 
IBM WebSphere Application Server vulnerability analysis and mitigation

CVE-2025-36124 is a security bypass vulnerability affecting IBM WebSphere Application Server Liberty versions 17.0.0.3 through 25.0.0.8. The vulnerability was discovered and disclosed on August 12, 2025, and it specifically impacts installations with JMS messaging features enabled, including wasJmsServer-1.0, wasJmsSecurity-1.0, wasJmsClient-2.0, messagingServer-3.0, messagingSecurity-3.0, or messagingClient-3.0 (IBM Advisory).

The vulnerability is classified as CWE-268 (Privilege Chaining) and stems from a failure to honor JMS messaging configuration. The CVSS v3.1 scores vary between sources, with NVD assigning a HIGH severity base score of 7.5 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) while IBM Corporation rates it as MEDIUM severity with a base score of 5.9 (Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) (NVD).

The vulnerability could allow remote attackers to bypass security restrictions in the JMS messaging system. The impact primarily affects the availability and integrity of the system, with no direct impact on confidentiality as indicated by the CVSS vectors (IBM Advisory).

IBM recommends addressing the vulnerability by either applying an interim fix containing the fix for APAR PH67546 or upgrading to Liberty Fix Pack 25.0.0.9 or later (targeted availability 3Q2025). Users should first verify if their installation has the affected features enabled. No workarounds are available for this vulnerability (IBM Advisory).