{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-64647", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2025-11-06T18:13:00.559Z", "datePublished": "2026-03-25T20:37:23.724Z", "dateUpdated": "2026-03-26T16:10:00.297Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-03-25T20:37:23.724Z"}, "title": "Multiple Vulnerabilities in IBM Concert Software", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-1240", "description": "CWE-1240 Use of a Cryptographic Primitive with a Risky Implementation", "type": "CWE"}]}], "affected": [{"vendor": "IBM", "product": "Concert", "versions": [{"status": "affected", "version": "1.0.0", "lessThanOrEqual": "2.2.0", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:concert:2.2.0:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "IBM Concert 1.0.0 through 2.2.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM Concert 1.0.0 through 2.2.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information</p>"}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7267105", "tags": ["vendor-advisory", "patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "solutions": [{"lang": "en", "value": "IBM strongly recommends addressing the vulnerability now by upgrading to IBM Concert Software 2.3.1\n\nDownload IBM Concert Software 2.3.1 from Container software library section of IBM Entitled Registry ( ICR https://myibm.ibm.com/products-services/containerlibrary ) and follow\u00a0 installation instructions https://www.ibm.com/docs/en/concert \u00a0depending on the type of deployment.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM strongly recommends addressing the vulnerability now by upgrading to IBM Concert Software 2.3.1</p><p>Download IBM Concert Software 2.3.1 from Container software library section of IBM Entitled Registry (<a href=\"https://myibm.ibm.com/products-services/containerlibrary\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">ICR</a>) and follow&nbsp;<a href=\"https://www.ibm.com/docs/en/concert?topic=installing-preparing-run-installs-from-private-container-registry\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">installation instructions</a>&nbsp;depending on the type of deployment.</p>"}]}], "x_generator": {"engine": "ibm-cvegen"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T16:09:52.875363Z", "id": "CVE-2025-64647", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T16:10:00.297Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-64647", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T16:09:52.875363Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T16:09:56.785Z"}}], "cna": {"title": "Multiple Vulnerabilities in IBM Concert Software", "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:concert:2.2.0:*:*:*:*:*:*:*"], "vendor": "IBM", "product": "Concert", "versions": [{"status": "affected", "version": "1.0.0", "versionType": "semver", "lessThanOrEqual": "2.2.0"}]}], "solutions": [{"lang": "en", "value": "IBM strongly recommends addressing the vulnerability now by upgrading to IBM Concert Software 2.3.1\n\nDownload IBM Concert Software 2.3.1 from Container software library section of IBM Entitled Registry ( ICR https://myibm.ibm.com/products-services/containerlibrary ) and follow\u00a0 installation instructions https://www.ibm.com/docs/en/concert \u00a0depending on the type of deployment.", "supportingMedia": [{"type": "text/html", "value": "<p>IBM strongly recommends addressing the vulnerability now by upgrading to IBM Concert Software 2.3.1</p><p>Download IBM Concert Software 2.3.1 from Container software library section of IBM Entitled Registry (<a href=\"https://myibm.ibm.com/products-services/containerlibrary\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">ICR</a>) and follow&nbsp;<a href=\"https://www.ibm.com/docs/en/concert?topic=installing-preparing-run-installs-from-private-container-registry\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">installation instructions</a>&nbsp;depending on the type of deployment.</p>", "base64": false}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7267105", "tags": ["vendor-advisory", "patch"]}], "x_generator": {"engine": "ibm-cvegen"}, "descriptions": [{"lang": "en", "value": "IBM Concert 1.0.0 through 2.2.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information", "supportingMedia": [{"type": "text/html", "value": "<p>IBM Concert 1.0.0 through 2.2.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1240", "description": "CWE-1240 Use of a Cryptographic Primitive with a Risky Implementation"}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-03-25T20:37:23.724Z"}}}, "cveMetadata": {"cveId": "CVE-2025-64647", "state": "PUBLISHED", "dateUpdated": "2026-03-26T16:10:00.297Z", "dateReserved": "2025-11-06T18:13:00.559Z", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "datePublished": "2026-03-25T20:37:23.724Z", "assignerShortName": "ibm"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*", "matchCriteriaId": "2E37B307-BAA4-487B-958B-7354E39D7B2A", "versionEndIncluding": "2.2.0", "versionStartIncluding": "1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Concert 1.0.0 through 2.2.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information"}], "id": "CVE-2025-64647", "lastModified": "2026-03-26T17:49:07.637", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "psirt@us.ibm.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-25T21:16:25.823", "references": [{"source": "psirt@us.ibm.com", "tags": ["Vendor Advisory"], "url": "https://www.ibm.com/support/pages/node/7267105"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1240"}], "source": "psirt@us.ibm.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.0.0,2.2.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "inferred", "scores": [{"score": 100.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Concert", "source": "cna", "vendor": "IBM"}, "product": "concert", "vendor": "ibm"}], "analysis": {"en": {"generated_at": "2026-03-26T20:05:26.777979+00:00", "value": {"mitigation_remediation": ["Upgrade IBM Concert Software to version 2.3.1 via the IBM Entitled Registry", "Follow IBM\u2019s installation instructions for your deployment type"], "summary": {"action": "Apply Patch", "impact": "Weak cryptographic algorithms may allow decryption of highly sensitive information"}, "threat_synthesis": {"affected_systems": "The vulnerability affects IBM Concert Software. Versions 1.0.0 through 2.2.0 are impacted, regardless of deployment type.\n\n", "description_and_impact": "IBM Concert 1.0.0 through 2.2.0 employs cryptographic algorithms that are weaker than expected, creating a vulnerability that could enable an attacker to decrypt highly sensitive data stored or transmitted by the system. This weakness is classified as CWE\u20111240, indicating a flaw in cryptographic material handling that directly compromises confidentiality.\n\n", "risk_and_exploitability": "The CVSS score of 5.9 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of real\u2011world exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Because the description does not specify the exact attack vector, it is reasonable to infer that an adversary would need access to encrypted data\u2014through compromised credentials, local/system access, or interception of stored or transmitted information\u2014to leverage this weakness. Administrators should review whether their environment handles sensitive cryptographic material and consider mitigating outcomes accordingly."}}}}, "created": "2026-03-25T21:46:02.768668+00:00", "updated": "2026-03-27T09:29:37.455899+00:00", "vendors": ["ibm", "ibm$PRODUCT$concert"]}