Multiple vulnerabilities reported in IBM Hardware Management Console
Take action: First, make sure your IBM Hardware Management Console (HMC) is isolated and accessible only from trusted networks and trusted personnel. Also check whether you are running vulnerable versions (V10.2.1030.0 and V10.3.1050.0). If you are, plan a patch cycle, because any isolation will eventually be breached.
Learn More
IBM has addressed multiple security vulnerabilities in its Power Hardware Management Console (HMC), including one critical severity flaw.
Vulnerabilities summary:
- CVE-2025-1950 (CVSS score 9.3): A critical vulnerability that allows local users to execute commands with elevated privileges due to improper validation of libraries from untrusted sources.
- CVE-2025-1951 (CVSS score 8.4): A vulnerability that enables local attackers to execute commands with extended rights.
The following HMC versions are vulnerable:
- HMC V10.2.1030.0
- HMC V10.3.1050.0
IBM has released security updates to address these vulnerabilities. The following fixes are available on IBM Fix Central at: http://www-933.ibm.com/support/fixcentral/
| Product | VRMF | APAR | Remediation/Fix |
|---|---|---|---|
| Power HMC | V10.2.1040.0 SP3 x86 | MB04482 | MF71717 |
| Power HMC | V10.2.1040.0 SP3 ppc | MB04483 | MF71718 |
| Power HMC | V10.3.1060.0 SP1 x86 | MB04484 | MF71719 |
| Power HMC | V10.3.1060.0 SP1 ppc | MB04485 | MF71720 |
IBM has not provided any workarounds or mitigations for these vulnerabilities. Organizations should apply the available security updates as soon as possible.
Currently, there have been no reports of attackers exploiting these vulnerabilities in the wild. However, it remains unclear how administrators can identify appliances that may have already been compromised.
