CVE-2025-36137 Overview
CVE-2025-36137 is a privilege escalation vulnerability in IBM Sterling Connect:Direct for Unix. The flaw stems from incorrect permission assignment for maintenance tasks granted to Control Center Director (CCD) users. Post-update scripts run with unnecessary privileges, allowing an already privileged user to escalate further on the host.
The issue is tracked under CWE-250: Execution with Unnecessary Privileges. Affected releases include 6.2.0.7 through 6.2.0.9 iFix004, 6.3.0.2 through 6.3.0.5 iFix002, and 6.4.0.0 through 6.4.0.2 iFix001. IBM has published guidance and fixed builds on the IBM Support Page.
Critical Impact
An authenticated CCD user with high privileges can leverage misconfigured maintenance script permissions to gain elevated control over the Connect:Direct for Unix host, impacting confidentiality, integrity, and availability.
Affected Products
- IBM Sterling Connect:Direct for Unix 6.2.0.7 through 6.2.0.9 iFix004
- IBM Sterling Connect:Direct for Unix 6.3.0.2 through 6.3.0.5 iFix002
- IBM Sterling Connect:Direct for Unix 6.4.0.0 through 6.4.0.2 iFix001
Discovery Timeline
- 2025-10-30 - CVE-2025-36137 published to NVD
- 2025-12-12 - Last updated in NVD database
Technical Details for CVE-2025-36137
Vulnerability Analysis
IBM Sterling Connect:Direct for Unix is a managed file transfer (MFT) product used to move sensitive data between enterprise systems. The Control Center Director (CCD) component centrally administers Connect:Direct nodes and pushes maintenance and update operations to them. CVE-2025-36137 arises because post-update scripts executed on the Unix host inherit privileges broader than required for their function.
A CCD user authorized to trigger maintenance tasks can abuse this excess privilege to perform actions outside the intended administrative scope. The result is a vertical privilege escalation on the underlying host that runs the Connect:Direct agent. The vulnerability requires high privileges (PR:H) but no user interaction and is reachable over the network through normal CCD workflows.
Root Cause
The root cause is mapped to CWE-250: Execution with Unnecessary Privileges. Maintenance scripts run after updates do not drop privileges to the minimum required, violating the principle of least privilege. CCD-initiated workflows therefore execute with rights that allow a privileged user to influence files, processes, or configurations outside the maintenance scope.
Attack Vector
An attacker must already hold a privileged CCD account or compromise one. Using the legitimate maintenance pathway, the attacker triggers post-update scripts on a managed Connect:Direct for Unix node. Because those scripts execute with elevated privileges, the attacker can leverage the workflow to read protected data, modify Connect:Direct configuration, or execute commands in the privileged context.
No public proof-of-concept exploit is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2025-36137
Indicators of Compromise
- Unexpected post-update or maintenance script executions on Connect:Direct for Unix hosts that do not align with a scheduled change window.
- New or modified files in Connect:Direct installation and configuration directories created by maintenance task processes.
- CCD audit entries showing maintenance tasks initiated by users who do not typically perform update operations.
Detection Strategies
- Audit CCD user roles and identify accounts with maintenance task entitlements that exceed business need.
- Compare the running version of Connect:Direct for Unix against fixed releases listed on the IBM Support Page.
- Correlate Connect:Direct process telemetry with CCD task history to detect script executions that lack a corresponding authorized change.
Monitoring Recommendations
- Forward Connect:Direct and CCD logs to a central SIEM and alert on maintenance task invocations outside approved windows.
- Monitor the Unix service account used by Connect:Direct for spawned shells, privilege transitions, or writes to system paths.
- Track file integrity for Connect:Direct binaries, configuration files, and post-update script directories.
How to Mitigate CVE-2025-36137
Immediate Actions Required
- Apply the fixed iFix releases published by IBM for the 6.2.x, 6.3.x, and 6.4.x branches as documented in the IBM security bulletin.
- Review and reduce the set of CCD users granted maintenance task privileges to the minimum required.
- Rotate credentials for any CCD account that may have been exposed and review recent maintenance task history for unexpected entries.
Patch Information
IBM has released fixed versions for the affected branches. Refer to the IBM Support Page for the specific iFix levels that remediate CVE-2025-36137 and the upgrade path for 6.2.0.9 iFix004, 6.3.0.5 iFix002, and 6.4.0.2 iFix001 and earlier maintenance levels.
Workarounds
- Restrict network access to the CCD management interface so only trusted administrative hosts can issue maintenance tasks.
- Disable or avoid invoking the affected maintenance and post-update workflows until patches are applied.
- Run Connect:Direct under a dedicated, least-privileged Unix service account and audit sudoers and filesystem ACLs that the maintenance scripts depend on.
# Configuration example: verify installed Connect:Direct for Unix version
# Replace /opt/cdunix with your installation path
/opt/cdunix/ndm/bin/direct -version
# List CCD-related processes running under the Connect:Direct account
ps -ef | grep -E 'cdpmgr|ndm' | grep -v grep
# Review ownership and permissions on post-update script directories
ls -la /opt/cdunix/ndm/bin /opt/cdunix/install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
