Description
IBM Concert 1.0.0 through 2.2.0 contains hard-coded credentials that could be obtained by a local user.
Published: 2026-03-25
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

IBM Concert Software versions 1.0.0 through 2.2.0 contain hard‑coded credentials that a local user can retrieve, allowing the user to impersonate privileged accounts or access protected data. This vulnerability is an example of CWE‑798, which involves the use of fixed passwords or keys in code. The risk is that an attacker with sole local access can elevate privileges or gain unauthorized authentication to the system.

Affected Systems

The affected product is IBM Concert Software, specifically all releases from 1.0.0 up to and including 2.2.0. The recommended fix is to upgrade to IBM Concert Software 2.3.1, which removes the hard‑coded credential artifacts.

Risk and Exploitability

The CVSS score of 6.2 indicates moderate overall impact, while an EPSS score of less than 1% shows low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker must have local console or filesystem access to exploit the hard‑coded credentials, so the risk is limited to environments where such local access is possible. Since the fix exists, immediate upgrade is the most effective mitigation.

Generated by OpenCVE AI on March 27, 2026 at 19:26 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by upgrading to IBM Concert Software 2.3.1 Download IBM Concert Software 2.3.1 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment.

OpenCVE Recommended Actions

  • Download IBM Concert Software 2.3.1 from the IBM Entitled Registry (ICR) and install following the deployment instructions.
  • Verify that the new installation has replaced all files and that hard‑coded credentials are no longer present.
  • If an upgrade cannot be performed immediately, restrict local user permissions to the directories containing the vulnerable files to prevent credential exposure.

Generated by OpenCVE AI on March 27, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description IBM Concert 1.0.0 through 2.2.0 contains hard-coded credentials that could be obtained by a local user.
Title Multiple Vulnerabilities in IBM Concert Software
First Time appeared Ibm
Ibm concert
Weaknesses CWE-798
CPEs cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:concert:2.2.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm concert
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Ibm Concert
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-03-26T16:12:21.981Z

Reserved: 2025-11-04T19:28:32.018Z

Link: CVE-2025-12708

cve-icon Vulnrichment

Updated: 2026-03-26T16:12:19.194Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T20:16:22.067

Modified: 2026-03-27T18:18:08.177

Link: CVE-2025-12708

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:26:18Z

Weaknesses