IBM UrbanCode Deploy 7.x-8.x Race Condition: http-session IP BND
CVE-2025-36360 Published on December 15, 2025
IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptible to an Insufficient Session Expiration vulnerability
IBM UCD - IBM UrbanCode Deploy 7.1 through 7.1.2.27, 7.2 through 7.2.3.20, and 7.3 through 7.3.2.15 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.10, and 8.1 through 8.1.2.3 is susceptible to a race condition in http-session client-IP binding enforcement which may allow a session to be briefly reused from a new IP address before it is invalidated, potentially enabling unauthorized access under certain network conditions.
Vulnerability Analysis
CVE-2025-36360 is exploitable with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.
Weakness Type
Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Products Associated with CVE-2025-36360
Want to know whenever a new CVE is published for IBM products? stack.watch will email you.
Affected Versions
UCD - IBM UrbanCode Deploy:- Version 7.1, <= 7.1.2.27 is affected.
- Version 7.2, <= 7.2.3.20 is affected.
- Version 7.3, <= 7.3.2.15 is affected.
- Version 8.0, <= 8.0.1.10 is affected.
- Version 8.1, <= 8.1.2.3 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.