IBM Storage Virtualize 8.49.1 IKEv1 SA Neg. Remote Leak
CVE-2025-36118 Published on November 17, 2025
IBM Storage Virtualize Information Disclosure
IBM Storage Virtualize 8.4, 8.5, 8.7, and 9.1 IKEv1 implementation allows remote attackers to obtain sensitive information from device memory via a Security Association (SA) negotiation request.
Vulnerability Analysis
CVE-2025-36118 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
What is a Heap Inspection Vulnerability?
Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory. When sensitive data such as a password or an encryption key is not removed from memory, it could be exposed to an attacker using a "heap inspection" attack that reads the sensitive data using memory dumps or other methods. The realloc() function is commonly used to increase the size of a block of allocated memory. This operation often requires copying the contents of the old memory block into a new and larger block. This operation leaves the contents of the original block intact but inaccessible to the program, preventing the program from being able to scrub sensitive data from memory. If an attacker can later examine the contents of a memory dump, the sensitive data could be exposed.
CVE-2025-36118 has been classified to as a Heap Inspection vulnerability or weakness.
Products Associated with CVE-2025-36118
Want to know whenever a new CVE is published for IBM Storage Virtualize? stack.watch will email you.
Affected Versions
IBM Storage Virtualize:- Version 8.4 is affected.
- Version 8.5 is affected.
- Version 8.7 is affected.
- Version 9.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.