Critical IBM AIX RCE (CVE-2025-36250, CVSS 10.0) Flaw Exposes NIM Private Keys and Risks Directory Traversal

IBM has released a new security bulletin addressing multiple high-severity vulnerabilities affecting AIX 7.2, AIX 7.3, and VIOS 3.1/4.1, including flaws that could allow remote attackers to execute arbitrary commands, obtain private cryptographic keys, or write malicious files through directory traversal.

According to the bulletin, “Vulnerabilities in AIX could allow a remote attacker to execute arbitrary commands (CVE-2025-36251, CVE-2025-36250), obtain Network Installation Manager (NIM) private keys (CVE-2025-36096), or traverse directories (CVE-2025-36236).”

IBM notes these vulnerabilities are exploitable only if the attacker can establish network connectivity to the affected host—making network exposure a significant risk factor.

IBM’s bulletin outlines four critical security issues, three of which score CVSS 8.2 or higher, including a maximum CVSS 10.0.

1. Remote Command Execution via nimsh – CVE-2025-36251 (CVSS 9.6)

IBM reports that the AIX nimsh service contains SSL/TLS implementation flaws. The bulletin explains that improper process controls “could allow a remote attacker to execute arbitrary commands.” This vulnerability expands on issues previously mitigated in CVE-2024-56347.

2. Exposure of NIM Private Keys – CVE-2025-36096 (CVSS 9.0)

NIM private keys are stored in an insecure manner, opening the door to credential theft. IBM states AIX “stores NIM private keys… in an insecure way which is susceptible to unauthorized access by an attacker using man in the middle techniques.” This could enable attackers to impersonate systems, intercept installations, or gain persistent administrative access.

3. Remote Command Execution via nimesis – CVE-2025-36250 (CVSS 10.0)

The most severe vulnerability lies within the NIM server (nimesis) service. IBM warns it “could allow a remote attacker to execute arbitrary commands due to improper process controls.” This flaw represents the highest-level criticality in the AIX environment.

4. Directory Traversal Vulnerability – CVE-2025-36236 (CVSS 8.2)

Finally, the NIM server also contains a directory traversal flaw. An attacker could “send a specially crafted URL request to write arbitrary files on the system.” This could enable root-level compromise, defacement, or lateral movement.

IBM lists the following products as vulnerable:

• AIX 7.2
• AIX 7.3
• VIOS 3.1
• VIOS 4.1

A long list of NIM-related filesets (bos.sysmgt.nim.client, bos.sysmgt.nim.master, bos.sysmgt.sysbr) are affected across multiple Technology Levels (TLs) and Service Packs (SPs).

Organizations are encouraged to check installed levels using:

lslpp -L | grep -i bos.sysmgt.nim.client

IBM has released a set of APARs and fix packages for both AIX and VIOS.

Related Posts:

• IBM AIX Security Breach: CVE-2024-56346 (CVSS 10) & CVE-2024-56347 Explained
• Hidden in Plain Sight: Nim Backdoor Lurks, Netskope Exposes Cyber Game
• Skitnet Analysis: Nim, Rust, and DNS Abuse in Advanced Malware Campaign
• Oath launches new bug bounty rewards plan
• IBM created the world’s smallest computer