CVE-2025-33108 Overview
IBM Backup, Recovery and Media Services (BRMS) for i versions 7.4 and 7.5 contains a privilege escalation vulnerability stemming from an unqualified library call within a BRMS program. This flaw allows a user with the capability to compile or restore a program to gain elevated privileges, potentially enabling malicious actors to execute user-controlled code with component access to the host operating system.
Critical Impact
Authenticated attackers can leverage unqualified library calls in BRMS to escalate privileges and execute arbitrary code with elevated access to the IBM i operating system.
Affected Products
- IBM i version 7.4
- IBM i version 7.5
- IBM Backup, Recovery and Media Services for i
Discovery Timeline
- June 14, 2025 - CVE-2025-33108 published to NVD
- August 20, 2025 - Last updated in NVD database
Technical Details for CVE-2025-33108
Vulnerability Analysis
This vulnerability is classified under CWE-250 (Execution with Unnecessary Privileges). The core issue resides in a BRMS program that makes library calls without fully qualifying the library path. In IBM i environments, unqualified calls allow the system to search through a library list to resolve the referenced object. An attacker who can compile or restore a program can exploit this behavior by placing a malicious library earlier in the search path, causing the BRMS program to load and execute attacker-controlled code instead of the legitimate library.
The network-accessible nature of this vulnerability combined with low attack complexity makes it particularly concerning for organizations running BRMS in their IBM i environments. Successful exploitation grants attackers the same privileges as the BRMS component, which typically operates with elevated access to perform backup and recovery operations across the system.
Root Cause
The root cause is an unqualified library call within a BRMS program. When a program does not explicitly specify the library containing the object it needs to call, the IBM i system searches the job's library list in order. This design allows an attacker who can manipulate the library list or place objects in libraries that are searched earlier to intercept legitimate calls and substitute malicious code. The BRMS program's failure to fully qualify library references creates this privilege escalation pathway.
Attack Vector
The attack requires an authenticated user with the ability to compile or restore programs on the IBM i system. The attacker can exploit this vulnerability by:
- Creating a malicious program or service program with the same name as the object being called by BRMS
- Placing this malicious object in a library that appears earlier in the library list than the legitimate BRMS library
- Triggering the vulnerable BRMS function that makes the unqualified call
- The system resolves the call to the attacker's malicious code, which then executes with the privileges of the BRMS program
This allows the attacker to run arbitrary code with elevated component access to the host operating system, potentially compromising system integrity, confidentiality, and availability.
Detection Methods for CVE-2025-33108
Indicators of Compromise
- Unexpected programs or service programs appearing in user libraries with names matching BRMS components
- Unusual modifications to job library lists, particularly additions of non-standard libraries
- Suspicious compile or restore operations performed by users without legitimate business need
- Anomalous BRMS job activity or unexpected processes spawned during backup operations
Detection Strategies
- Monitor for program compilation and restore activities, particularly those targeting library objects with names similar to BRMS components
- Audit changes to library lists for jobs that run BRMS operations
- Review system logs for unauthorized privilege escalation attempts or unexpected program activations during BRMS execution
- Implement object auditing on critical BRMS libraries to detect tampering or unauthorized object placement
Monitoring Recommendations
- Enable journal auditing for security-relevant events including program creation, restoration, and library list modifications
- Configure alerts for any compile or restore operations by users who don't typically perform development activities
- Regularly review authority assignments for BRMS programs and related libraries
- Monitor for unexpected network connections or child processes spawned by BRMS jobs
How to Mitigate CVE-2025-33108
Immediate Actions Required
- Apply the security patches provided by IBM immediately for BRMS on IBM i versions 7.4 and 7.5
- Review and restrict user authorities for compile and restore operations to only those who require it
- Audit library lists used by BRMS jobs to ensure only authorized libraries are included
- Verify the integrity of existing objects in libraries that could potentially intercept BRMS calls
Patch Information
IBM has released a security update to address this vulnerability. Organizations should apply the patch as documented in the IBM Support Advisory. The patch modifies the BRMS program to use fully qualified library calls, eliminating the attack vector.
Workarounds
- Restrict the *USE authority on BRMS libraries to prevent unauthorized users from placing objects in the library search path
- Configure job descriptions used by BRMS to have a restricted library list that only includes necessary system and BRMS libraries
- Remove compile (*SERVICE or *CHANGE) authority from users who do not have a legitimate need
- Implement security exit programs to monitor and log program activation during BRMS operations
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
