Description
IBM Concert 1.0.0 through 2.2.0 transmits data in clear text that could allow an attacker to obtain sensitive information using man in the middle techniques.
Published: 2026-03-25
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive data exposure due to cleartext transmission
Action: Patch
AI Analysis

Impact

IBM Concert Software versions 1.0.0 through 2.2.0 transmit data in clear text, allowing an attacker to capture confidential information if the network traffic is intercepted. This vulnerability can lead to confidentiality loss and potentially expose user credentials, configuration details, or other sensitive data. The weakness is classified as Cleartext Transmission of Sensitive Information (CWE-319).

Affected Systems

The affected product is IBM Concert Software from IBM. Versions 1.0.0, 1.1.x to 2.2.0 are impacted, covering all releases between 1.0.0 and 2.2.0 inclusive.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a man‑in‑the‑middle scenario where an attacker positioned on the same network segment can intercept unencrypted traffic. Exploitation requires no special privileges; simply observing or replaying the traffic will reveal the sensitive data interned in the cleartext stream.

Generated by OpenCVE AI on March 26, 2026 at 19:36 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by upgrading to IBM Concert Software 2.3.1 Download IBM Concert Software 2.3.1 from Container software library section of IBM Entitled Registry ( ICR https://myibm.ibm.com/products-services/containerlibrary ) and follow  installation instructions https://www.ibm.com/docs/en/concert  depending on the type of deployment.

OpenCVE Recommended Actions

  • Verify the current version of IBM Concert Software installed
  • Plan an upgrade path to the stable release
  • Obtain IBM Concert Software 2.3.1 from the IBM Entitled Registry
  • Follow the installation instructions provided by IBM for your deployment type
  • Confirm that communication channels are now encrypted after the upgrade

Generated by OpenCVE AI on March 26, 2026 at 19:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 05:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*

Wed, 25 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Description IBM Concert 1.0.0 through 2.2.0 transmits data in clear text that could allow an attacker to obtain sensitive information using man in the middle techniques.
Title Multiple Vulnerabilities in IBM Concert Software
First Time appeared Ibm
Ibm concert
Weaknesses CWE-319
CPEs cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:concert:2.2.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm concert
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Ibm Concert
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-03-26T15:24:44.034Z

Reserved: 2025-11-06T18:13:00.559Z

Link: CVE-2025-64648

cve-icon Vulnrichment

Updated: 2026-03-26T15:24:39.923Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T21:16:25.997

Modified: 2026-03-26T17:48:29.483

Link: CVE-2025-64648

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:29:36Z

Weaknesses