{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12708", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2025-11-04T19:28:32.018Z", "datePublished": "2026-03-25T20:04:21.846Z", "dateUpdated": "2026-03-25T20:04:21.846Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-03-25T20:04:21.846Z"}, "title": "Multiple Vulnerabilities in IBM Concert Software", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials", "type": "CWE"}]}], "affected": [{"vendor": "IBM", "product": "Concert", "versions": [{"status": "affected", "version": "1.0.0", "lessThanOrEqual": "2.2.0", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:concert:2.2.0:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "IBM Concert 1.0.0 through 2.2.0 contains hard-coded credentials that could be obtained by a local user.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM Concert 1.0.0 through 2.2.0 contains hard-coded credentials that could be obtained by a local user.</p>"}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7267105", "tags": ["vendor-advisory", "patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 6.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "solutions": [{"lang": "en", "value": "IBM strongly recommends addressing the vulnerability now by upgrading to IBM Concert Software 2.3.1 Download IBM Concert Software 2.3.1 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM strongly recommends addressing the vulnerability now by upgrading to IBM Concert Software 2.3.1 Download IBM Concert Software 2.3.1 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment.</p>"}]}], "x_generator": {"engine": "ibm-cvegen"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Concert 1.0.0 through 2.2.0 contains hard-coded credentials that could be obtained by a local user."}], "id": "CVE-2025-12708", "lastModified": "2026-03-25T20:16:22.067", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "psirt@us.ibm.com", "type": "Primary"}]}, "published": "2026-03-25T20:16:22.067", "references": [{"source": "psirt@us.ibm.com", "url": "https://www.ibm.com/support/pages/node/7267105"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "psirt@us.ibm.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T21:29:15.485119+00:00", "value": {"mitigation_remediation": ["Upgrade IBM Concert Software to version 2.3.1 following IBM\u2019s installation instructions.", "Verify that the new installation no longer contains hard\u2011coded credentials.", "Remove any older installations of Concert that are still vulnerable.", "Monitor system logs for attempts to use legacy credentials or anomalous authentication activity."], "summary": {"action": "Immediate Patch", "impact": "Credential Access via Hard\u2011Coded Credentials"}, "threat_synthesis": {"affected_systems": "The affected products are IBM Concert Software versions 1.0.0 and 2.2.0. The vendor recommends upgrading to version 2.3.1, which removes the hard\u2011coded credentials, to mitigate the risk.", "description_and_impact": "IBM Concert versions 1.0.0 through 2.2.0 include hard\u2011coded credentials that can be retrieved by a local user. These credentials provide direct access to protected system functions, enabling the local attacker to authenticate without authorization. The vulnerability is classified under CWE\u2011798, indicating improper credential storage or disclosure.", "risk_and_exploitability": "The CVSS score of 6.2 labels this as a moderate severity issue. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires local access; an attacker with local privileges can read the stored credentials and use them to gain further access to system resources. No remote exploitation vector is documented. The overall risk is moderate, but due to the sensitive nature of credential exposure, immediate action is advised."}}}}, "created": "2026-03-25T21:46:18.273197+00:00", "updated": "2026-03-25T21:46:18.273228+00:00", "vendors": []}