IBM this week announced fixes for more than 100 vulnerabilities across its products, including multiple critical-severity bugs. Most of them were in third-party dependencies.
Storage Defender received patches for six critical-severity defects, all affecting third-party components in Data Protect (which is included in Storage Defender).
The weaknesses could lead to denial-of-service (DoS) conditions, memory corruption, arbitrary file overwrite, and application crashes.
Another critical-severity vulnerability was addressed in IBM Guardium Data Protection’s implementation of the Apache Tomcat server. The flaw, tracked as CVE-2025-48913, could lead to code execution.
IBM also announced a fix for a critical-severity bug in the form-data library used in Maximo Application Suite, which could allow attackers to inject parameters in requests.
Edge Data Collector received patches for a critical SQL injection defect in the Django web framework.
IBM also fixed dozens of vulnerabilities in Observability with Instana (OnPrem), including critical bugs in Tomcat, libxml2, and WebKit that could lead to command execution, DoS conditions, process crashes, and other unexpected behavior.
A critical-severity issue in the Corosync library was addressed with security updates for IBM Db2. The weakness could lead to a process crash or arbitrary code execution, if encryption is disabled or the attacker knows the encryption key.
Multiple high- and medium-severity flaws were also patched across Content Collector, DataPower Operations Dashboard, License Metric Tool, Planning Analytics, Watsonx Subscription, InfoSphere Information Server, StreamSets, and Db2 for Linux, UNIX and Windows.
Additional information on these vulnerabilities and the corresponding patches can be found on IBM’s security bulletins page.
Related: Fortinet Patches Critical Authentication Bypass Vulnerabilities
Related: Ivanti EPM Update Patches Critical Remote Code Execution Flaw
Related: Microsoft Patches 57 Vulnerabilities, Three Zero-Days
