CVE Alert: CVE-2025-36222 – IBM – Fusion

Risk verdict

High risk. Remote unauthenticated access to AMQStreams could enable unauthorized actions; no explicit KEV/SSVC exploitation state reported.

Why this matters

Exposed messaging infrastructure can expose confidential data and enable manipulation or exfiltration of messages. Attackers could leverage unauthenticated access to pivot into other Fusion components, disrupt operations, or escalate to broader infrastructure.

Most likely attack path

Network access to the AMQStreams broker is sufficient; no privileges or user interaction required. With insecure defaults, an attacker could perform publish/subscribe or administrative actions without credentials, potentially altering topology or data flows. The scope-change aspect suggests potential impact beyond the broker itself, enabling lateral movement to related services.

Who is most exposed

Typical deployments of IBM Fusion/Fusion HCI in on‑premise or private/hybrid environments where broker endpoints may be exposed or inadequately network-segmented. Organisations with open WAN access or lax access controls are particularly at risk.

Detection ideas

• Unauthenticated connections to broker endpoints from unusual/unknown sources
• Creation or modification of topics/queues without credentials
• Sudden spike in messaging activity or anomalous admin API use
• Absence or misconfiguration of TLS/client authentication signals in broker logs
• Elevated, unexpected changes in Fusion components tied to messaging

Mitigation and prioritisation

• Patch upgrade to the advised versions (2.11.0) and verify successful remediation
• Enforce authentication and TLS for AMQStreams; disable anonymous access
• Tighten network controls: restrict broker access to trusted networks, apply firewall rules
• Implement strong RBAC, audit logging, and credential rotation; align with change-management processes
• If KEV exists or EPSS ≥ 0.5, treat as priority 1; otherwise proceed as high priority with fixed-window patching.