IBM has patched a critical CVSS 10 vulnerability that would give a remote attacker fully unauthenticated command execution on AIX or VIOS systems.

The bug, allocated CVE-2025-36250, is one of four affecting AIX patched by IBM on November 14, it said in an advisory updated today (November 17.)

IBM’s AIX is an OS that is often used on servers running mission-critical workloads in heavily regulated industries. It is still supported by IBM.

Big Blue pushed patches affecting AIX for:

  • CVE‑2025‑36250 (CVSS 10): Pre-auth RCE in the NIM master (nimesis) service.
  • CVE‑2025‑36251 (CVSS 9.6): Pre-auth RCE in the NIM service handler (nimsh) – SSL/TLS implementation) 
  • CVE‑2025‑36236 (CVSS 8.2): Directory traversal and arbitrary file-write via specially crafted URL requests in the NIM server.
  • CVE‑2025‑36096 (CVSS 9.0): Insecure storage of NIM private keys – accessible via “attacker-in-the-middle” attacks.

The bugs all affect NIM (Network Installation Manager) infrastructure, which, per Sentrium, “provides unattended [OS] installation, configuration, updates and third-party software. As such, NIM is often installed on a highly privileged system within large enterprise infrastructure environments.”  

No AIX exploits are listed on CISA’s KEV database (where just seven IBM vulnerabilities can be seen; the most recent allocated in 2022) and the vulnerability (allocated CVE-2025-36250) is not known to be exploited.

A supplier to the aerospace sector was hit via its AIX servers last year, however. (Admittedly this is because it was running an internet-exposed Apache Axis admin portal with default administrator credentials…)

“There can be legitimate reasons for exposing a NIM-enabled AIX server to the internet to complete specific administrative tasks, such as downloading patches or updates from IBM's support systems, NIM updates, or automated error reporting. Of course, best practice would be keep this access highly restricted and limited to only certain hosts or networks,” commented vulnerability management firm Mondoo.

It urged users to keep an eye out “for unexpected file writes in NIM server directories, unusual command execution, and certificate/private-key anomalies” and to ensure SSL/TLS for nimsh is configured securely with proper process controls.

All four IBM AIX vulnerabilities were reported by Swiss cybersecurity firm Oneconsult AG’s Chief Innovation Officer Jan Alsenz, IBM’s advisory showed.

Notably, IBM documentation flags, the NIM client daemon (NIMSH) uses reserved ports 3901 and 3902, and it installs as part of the bos.sysmgt.nim.client fileset… While NIMSH eliminates the need for rsh, it does not provide trusted authentication based on key encryption.

Users should check asset registers and other data sources to confirm all installations of AIX. As Sentrium notes, on each AIX/VIOS host, you can run;

ps -ef | grep nim

… to verify whether NIM master/client services are running and if they are, consider patching up or mitigating per IBM’s guidance this week. 

The link has been copied!