CVE-2025-36041

MEDIUM

IBM MQ Operator < 2.0.29 - Improper Certificate Validation

Title source: rule

Description

IBM MQ Operator LTS 2.0.0 through 2.0.29, MQ Operator CD 3.0.0, 3.0.1, 3.1.0 through 3.1.3, 3.3.0, 3.4.0, 3.4.1, 3.5.0, 3.5.1 through 3.5.3, and MQ Operator SC2 3.2.0 through 3.2.12 Native HA CRR could be configured with a private key and chain other than the intended key which could disclose sensitive information or allow the attacker to perform unauthorized actions.

Exploits (1)

nomisec WORKING POC 2 stars

by byteReaper77 · poc

https://github.com/byteReaper77/CVE-2025-36041

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://www.ibm.com/support/pages/node/7236608

Scores

CVSS v3 4.7

EPSS 0.0004

EPSS Percentile 13.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-295

Status published

Products (20)

ibm/mq_operator 3.0.0

ibm/mq_operator 3.0.1

ibm/mq_operator 3.3.0

ibm/mq_operator 3.4.0

ibm/mq_operator 3.4.1

ibm/mq_operator 3.5.0

ibm/mq_operator 2.0.0 - 2.0.29

ibm/mq_operator 2.2.0 - 2.2.2

ibm/mq_operator 3.1.0 - 3.1.3

ibm/mq_operator 3.2.0 - 3.2.12

... and 10 more

Published Jun 15, 2025

Tracked Since Feb 18, 2026