Critical IBM Maximo Flaw (CVE-2025-36386, CVSS 9.8) Allows Unauthenticated Bypass to Cognos Analytics
Do Son 
IBM has issued a critical security advisory warning customers of a high-severity vulnerability (CVE-2025-36386, CVSS 9.8) in IBM Maximo Manage, a core component of the IBM Maximo Application Suite (MAS). The flaw allows a remote attacker to bypass authentication mechanisms and gain unauthorized access to Cognos Analytics, potentially exposing sensitive business data.
According to the advisory, “There is a vulnerability in the IBM Maximo Manage application in IBM Maximo Application Suite, when used with stand-alone Cognos Analytics, where MXCSP is used for integration. A remote attacker could bypass authentication mechanisms and gain unauthorized access to Cognos Analytics.”
The issue arises from the way MXCSP (Maximo Cognos Service Provider) handles authentication requests during the integration between Maximo Manage and Cognos Analytics. When improperly configured or exploited, the integration can be manipulated to bypass standard authentication checks, granting access to the Cognos service layer without valid credentials.
This flaw affects multiple versions of the Maximo Manage component, specifically:
- MAS 9.0.0 to 9.0.15 (Manage 9.0.0 to 9.0.17)
- MAS 9.1.0 to 9.1.4 (Manage 9.1.0 to 9.1.4)
Due to its remote exploitability and the potential exposure of sensitive analytics data, IBM has assigned the vulnerability its highest urgency level and is recommending immediate remediation.
IBM Maximo Application Suite is widely deployed in industrial, manufacturing, and enterprise asset management environments, where Cognos Analytics integrates with operational data for visualization and reporting.
A successful exploit could allow an attacker to:
- Access and manipulate Cognos dashboards and reports;
- Extract or alter sensitive analytics data;
- Chain the authentication bypass with other vulnerabilities to escalate privileges within Maximo environments.
Given that Cognos Analytics often interfaces with enterprise-wide data sources, the compromise could extend beyond Maximo to include ERP, supply-chain, and maintenance intelligence systems.
Patches have been released for both major MAS branches:
IBM is urging all affected customers to apply the latest patch fixes immediately.
Related Posts:
- Critical IBM Cognos Analytics Vulnerabilities Demand Urgent Patching
- CVE-2024-51466 (CVSS 9.0): Critical Vulnerability Found in IBM Cognos Analytics
- Windows 10 ESU Cracked: Free Security Updates on the Horizon?
- Windows Activation Tool TSforge Suspended: Microsoft’s Coding Error Breaks ZeroCID
- Microsoft releases Windows Analytics tools to check Meltdown and Spectre protections
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
