Integration News

IBM Sterling Connect:Direct for UNIX is vulnerable to Execution with Unnecessary Privileges.

Summary

IBM Sterling Control Center can apply maintenance to and upgrade IBM Sterling Connect:Direct for UNIX. The Control Center administrator has the option of running pre and post update scripts. Those scripts are run as root; they should be run as the standard user account under which Connect:Direct UNIX was installed.

CVEID: CVE-2025-36137
Description: IBM Sterling Connect:Direct for UNIX incorrectly assigns permissions for maintenance tasks to Control Center Director (CCD) users that could allow a privileged user to escalate their privileges further due to unnecessary privilege assignment for post update scripts.
CWE: CWE-250: Execution with Unnecessary Privileges
CVSS Source: IBM
CVSS Base score: 7.2
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

Product

Affected Version

Remediation / Fix / Instructions

IBM Sterling Connect:Direct for UNIX

6.4.0

Apply 6.4.0.2.iFix004, available on Fix Central

IBM Sterling Connect:Direct for UNIX

6.3.0

Apply 6.3.0.5.iFix008, available on Fix Central

IBM Sterling Connect:Direct for UNIX

6.2.0

Apply 6.2.0.9.iFix005, available on Fix Central

Workarounds and Mitigations

None.

Change History

30 Oct 2025: Initial Publication

Click the button below to download this newsletter in PDF format.

Download
home.b2b.solutions
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can offer you the best possible user experience.
Cookie information is stored in your browser and performs functions such as recognizing you when you return to our website or helping our team understand which sections of the website you find most interesting and useful.