CVE Alert: CVE-2025-3356 - IBM - Tivoli Monitoring

CVE-2025-3356

HIGHNo exploitation known

IBM Tivoli Monitoring 6.3.0.7 through 6.3.0.7 Service Pack 21 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view, overwrite, or append to arbitrary files on the system.

CVSS v3.1 (8.6)

AV NETWORK · AC LOW · PR NONE · UI NONE · S UNCHANGED

Vendor

IBM

Product

Tivoli Monitoring

Versions

6.3.0.7 lte 6.3.0.7 Service Pack 21

CWE

CWE-22, CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Published

2025-10-30T19:22:37.371Z

Updated

2025-10-30T19:41:12.149Z

cpe:2.3:a:ibm:tivoli_monitoring:6.3.0.7:*:*:*:*:*:*:*cpe:2.3:a:ibm:tivoli_monitoring:6.3.0.7:sp21:*:*:*:*:*:*

References

https://www.ibm.com/support/pages/node/7249694

AI Summary Analysis

Risk verdict

High risk: unauthenticated remote path-traversal allowing arbitrary file read/write with potential service disruption; exploitation not observed yet.

Why this matters

In IBM Tivoli Monitoring deployments, an attacker could view, overwrite, or append critical files, potentially corrupting monitoring configurations or logs and causing downtime or inaccurate dashboards. The low confidentiality impact belies a high availability risk, particularly in large enterprise monitoring ecosystems where tampering with config or log files can cascade into broader service outages.

Most likely attack path

No authentication required and no user interaction needed. An attacker can craft URL requests with /../ sequences over the network-facing interface to reach restricted directories. With the PR:N, AC:L, and UI:N, the barrier to initial access is effectively external network access, enabling rapid attempts at file manipulation within the affected scope. Lateral movement depends on accessible file paths within the same trust domain; credentialed access is not required.

Who is most exposed

Common in on-premises, enterprise-scale Tivoli Monitoring deployments where management ports are exposed or insufficiently network-segmented. Organisations with centralised monitoring hubs and limited network controls are particularly at risk.

Detection ideas

Web logs show repeated /../ and directory traversal patterns in requests.
Unusual or unexpected writes to system or application directories.
Sudden changes to monitoring configuration or log files.
Anomalous file creation/modification timestamps aligned with monitoring windows.
Increased 404/500 errors tied to traversal attempts.

Mitigation and prioritisation

Apply IBM’s remediation (SP21 or newer) as a priority patch.
If patching is delayed, implement network segmentation and block traversal payloads at the gateway/WAF.
Enforce strict access controls: minimise exposure of the Tivoli interface to trusted networks only.
Enable monitoring on file-system writes to critical directories and audit logs for traversal patterns.
Treat as priority 2–3 until patching is complete; if KEV/EPSS indicators emerge, elevate to priority 1.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: CVE, cve-2025-3356, IBM, OSINT, threatintel, tivoli-monitoring