CVE-2025-36118
IBM Storage Virtualize Information Disclosure
In short
IBM Storage Virtualize devices leak sensitive information from device memory when processing certain security negotiation requests. An attacker can exploit this flaw remotely without authentication to steal confidential data.
Technical detail
The IKEv1 implementation in IBM Storage Virtualize 8.4, 8.5, 8.7, and 9.1 fails to properly sanitize memory during Security Association negotiation, allowing remote attackers to extract sensitive information via crafted SA requests. No authentication is required; the vulnerability can be exploited during the initial key exchange phase.
Summary generated and translated by AI from the official description.
IBM Storage Virtualize 8.4, 8.5, 8.7, and 9.1 IKEv1 implementation allows remote attackers to obtain sensitive information from device memory via a Security Association (SA) negotiation request.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
IBM · Storage VirtualizeWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →