IBM AIX 7.3, VIOS 4.1.1: Arbitrary Code Exec via Perl Pathname Issue
CVE-2025-33112 Published on June 10, 2025

IBM AIX command execution
IBM AIX 7.3 and IBM VIOS 4.1.1 Perl implementation could allow a non-privileged local user to exploit a vulnerability to execute arbitrary code due to improper neutralization of pathname input.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2025-33112 is exploitable with local system access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

Relative Path Traversal

The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.


Products Associated with CVE-2025-33112

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-33112 are published in these products:

IBM Vios
 
IBM Aix
 

Affected Versions

IBM AIX: IBM VIOS:

Exploit Probability

EPSS
0.02%
Percentile
5.18%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.