IBM CICS TX 10.1/11.1 Local Exec via unsafe gets()
CVE-2025-1331 Published on May 8, 2025
IBM CICS TX code execution
IBM CICS TX Standard 11.1 and IBM CICS TX Advanced 10.1 and 11.1 could allow a local user to execute arbitrary code on the system due to the use of unsafe use of the gets function.
Vulnerability Analysis
CVE-2025-1331 can be exploited with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
Use of Inherently Dangerous Function
The program calls a function that can never be guaranteed to work safely. Certain functions behave in dangerous ways regardless of how they are used. Functions in this category were often implemented without taking security concerns into account. The gets() function is unsafe because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to gets() and overflow the destination buffer. Similarly, the >> operator is unsafe to use when reading into a statically-allocated character array because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to the >> operator and overflow the destination buffer.
Products Associated with CVE-2025-1331
Want to know whenever a new CVE is published for IBM Cics Tx? stack.watch will email you.
Affected Versions
IBM CICS TX Standard:- Version 11.1 is affected.
- Version 10.1 is affected.
- Version 11.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.