{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-64647", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2025-11-06T18:13:00.559Z", "datePublished": "2026-03-25T20:37:23.724Z", "dateUpdated": "2026-03-25T20:37:23.724Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-03-25T20:37:23.724Z"}, "title": "Multiple Vulnerabilities in IBM Concert Software", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-1240", "description": "CWE-1240 Use of a Cryptographic Primitive with a Risky Implementation", "type": "CWE"}]}], "affected": [{"vendor": "IBM", "product": "Concert", "versions": [{"status": "affected", "version": "1.0.0", "lessThanOrEqual": "2.2.0", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:concert:2.2.0:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "IBM Concert 1.0.0 through 2.2.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM Concert 1.0.0 through 2.2.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information</p>"}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7267105", "tags": ["vendor-advisory", "patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "solutions": [{"lang": "en", "value": "IBM strongly recommends addressing the vulnerability now by upgrading to IBM Concert Software 2.3.1\n\nDownload IBM Concert Software 2.3.1 from Container software library section of IBM Entitled Registry ( ICR https://myibm.ibm.com/products-services/containerlibrary ) and follow\u00a0 installation instructions https://www.ibm.com/docs/en/concert \u00a0depending on the type of deployment.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM strongly recommends addressing the vulnerability now by upgrading to IBM Concert Software 2.3.1</p><p>Download IBM Concert Software 2.3.1 from Container software library section of IBM Entitled Registry (<a href=\"https://myibm.ibm.com/products-services/containerlibrary\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">ICR</a>) and follow&nbsp;<a href=\"https://www.ibm.com/docs/en/concert?topic=installing-preparing-run-installs-from-private-container-registry\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">installation instructions</a>&nbsp;depending on the type of deployment.</p>"}]}], "x_generator": {"engine": "ibm-cvegen"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Concert 1.0.0 through 2.2.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information"}], "id": "CVE-2025-64647", "lastModified": "2026-03-25T21:16:25.823", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "psirt@us.ibm.com", "type": "Primary"}]}, "published": "2026-03-25T21:16:25.823", "references": [{"source": "psirt@us.ibm.com", "url": "https://www.ibm.com/support/pages/node/7267105"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1240"}], "source": "psirt@us.ibm.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T21:22:34.276791+00:00", "value": {"mitigation_remediation": ["Upgrade IBM Concert Software to version 2.3.1 immediately.", "Download the 2.3.1 update from IBM Entitled Registry at https://myibm.ibm.com/products-services/containerlibrary and follow the installation instructions at https://www.ibm.com/docs/en/concert."], "summary": {"action": "Immediate Patch", "impact": "Potential disclosure of highly sensitive information due to weak cryptographic algorithms"}, "threat_synthesis": {"affected_systems": "IBM Concert Software, versions 1.0.0 up to 2.2.0, are affected. These releases are identified under the CPE strings for IBM Concert 1.0.0 and 2.2.0. Administrators using these versions should verify which release they are running and address the issue promptly.", "description_and_impact": "IBM Concert Software versions 1.0.0 through 2.2.0 implement cryptographic algorithms that are weaker than expected, allowing an adversary to decrypt sensitive data. The vulnerability is identified as CWE\u20111240, a weakness in cryptographic implementation. If exploited, an attacker could gain unauthorized access to data that should be protected, potentially compromising confidentiality and integrity of the system\u2019s information.", "risk_and_exploitability": "The CVSS v3 score of 5.9 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is that an attacker with access to encrypted data can exploit the weak algorithms to decrypt it, and may be able to perform this without additional privileges. Given the potential for sensitive data exposure, the risk to affected systems is significant, and a timely patch is recommended to mitigate the attack surface."}}}}, "created": "2026-03-25T21:46:02.768668+00:00", "updated": "2026-03-25T21:46:02.768728+00:00", "vendors": []}