Description
IBM Concert 1.0.0 through 2.2.0 contains hard-coded credentials that could be obtained by a local user.
Published: 2026-03-25
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Credential Access via Hard‑Coded Credentials
Action: Immediate Patch
AI Analysis

Impact

IBM Concert versions 1.0.0 through 2.2.0 include hard‑coded credentials that can be retrieved by a local user. These credentials provide direct access to protected system functions, enabling the local attacker to authenticate without authorization. The vulnerability is classified under CWE‑798, indicating improper credential storage or disclosure.

Affected Systems

The affected products are IBM Concert Software versions 1.0.0 and 2.2.0. The vendor recommends upgrading to version 2.3.1, which removes the hard‑coded credentials, to mitigate the risk.

Risk and Exploitability

The CVSS score of 6.2 labels this as a moderate severity issue. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires local access; an attacker with local privileges can read the stored credentials and use them to gain further access to system resources. No remote exploitation vector is documented. The overall risk is moderate, but due to the sensitive nature of credential exposure, immediate action is advised.

Generated by OpenCVE AI on March 25, 2026 at 21:29 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by upgrading to IBM Concert Software 2.3.1 Download IBM Concert Software 2.3.1 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment.

OpenCVE Recommended Actions

  • Upgrade IBM Concert Software to version 2.3.1 following IBM’s installation instructions.
  • Verify that the new installation no longer contains hard‑coded credentials.
  • Remove any older installations of Concert that are still vulnerable.
  • Monitor system logs for attempts to use legacy credentials or anomalous authentication activity.

Generated by OpenCVE AI on March 25, 2026 at 21:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description IBM Concert 1.0.0 through 2.2.0 contains hard-coded credentials that could be obtained by a local user.
Title Multiple Vulnerabilities in IBM Concert Software
First Time appeared Ibm
Ibm concert
Weaknesses CWE-798
CPEs cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:concert:2.2.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm concert
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Ibm Concert
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-03-26T16:12:21.981Z

Reserved: 2025-11-04T19:28:32.018Z

Link: CVE-2025-12708

cve-icon Vulnrichment

Updated: 2026-03-26T16:12:19.194Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T20:16:22.067

Modified: 2026-03-26T15:13:15.790

Link: CVE-2025-12708

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T11:34:02Z

Weaknesses