// For flags

CVE-2023-25681

IBM Spectrum Virtualize security bypass

Severity Score

5.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

LDAP users on IBM Spectrum Virtualize 8.5 which are configured to require multifactor authentication can still authenticate to the CIM interface using only username and password. This does not affect local users with MFA configured or remote users authenticating via single sign-on. IBM X-Force ID: 247033.

Los usuarios de LDAP en IBM Spectrum Virtualize 8.5 que están configurados para requerir autenticación multifactor aún pueden autenticarse en la interfaz CIM utilizando solo el nombre de usuario y la contraseña. Esto no afecta a los usuarios locales con MFA configurado ni a los usuarios remotos que se autentican mediante el inicio de sesión único. ID de IBM X-Force: 247033.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2023-02-11 CVE Reserved
  • 2024-03-05 CVE Published
  • 2024-03-06 EPSS Updated
  • 2024-08-02 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-308: Use of Single-factor Authentication
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
IBM
Search vendor "IBM"
 Spectrum Virtualize
Search vendor "IBM" for product "Spectrum Virtualize"
 8.5
Search vendor "IBM" for product "Spectrum Virtualize" and version "8.5"
en
Affected