Security vulnerabilities: Root attacks possible on IBM AIX/VIOS

Attackers can target servers and workstations running IBM’s AIX operating system. The Virtual I/O Server (VIOS) software is also vulnerable. In addition, the developers have closed vulnerabilities in App Connect Enterprise Toolkit and Integration Bus for z/OS Toolkit. Security updates are available for download.

Deceiving victims

The security vulnerability (CVE-2019-11777 “high”) in the latter two products is located in the Paho Java client component, the developers explain in a warning message. Under certain conditions, an MQTT server is not verified, allowing attackers to pass off their MQTT server as legitimate. The warning message does not explain why IBM is only now mentioning the vulnerability from 2019.

The developers assure that they have closed the vulnerability in the following releases. It is currently unknown whether any attacks have already taken place.

IBM Integration Bus for z/OS v10.1 – Fix Pack Release 10.1.0.6IBM App Connect Enterprise v12 – Fix Pack Release 12.0.12.17IBM App Connect Enterprise v13 – Fix Pack Release 13.0.4.2

Root security vulnerability

If IBM AIX/VIOS use Kerberos for authentication, local attackers can exploit a software vulnerability (CVE-2025-36344 “high”). If attacks are successful, they can write files to the system with root privileges, the developers explain in a post. Again, there are no reports yet that attackers are already exploiting the vulnerability.

To protect systems against such an attack, administrators must install a security update. The krb5.client.rte (1.16.1.7) update is available for download for AIX 7.2, 7.3, and VIOS 3.1, 4.1.

(des)