A critical remote code execution vulnerability has been identified in the Network Installation Management (NIM) service of IBM AIX and VIOS systems. This flaw, rated with the highest possible CVSS score of 10.0, could allow an unauthenticated remote attacker to execute arbitrary commands and gain complete control over affected servers, leading to a total system compromise.

The vulnerability exists within the NIM server service, specifically the nimesis daemon, due to improper process controls. A remote, unauthenticated attacker can send specially crafted requests to the NIM service, exploiting this flaw to execute arbitrary commands on the server. The commands would likely run with the privileges of the nimesis service, which is typically root, resulting in a complete system takeover. This vulnerability addresses additional attack vectors not covered by the patch for a related, previous vulnerability (CVE-2024-56346).

This vulnerability is rated as critical severity with a CVSS score of 10.0, representing the highest possible risk. Successful exploitation would lead to a complete compromise of the affected IBM AIX or VIOS NIM server. An attacker could steal sensitive data, deploy ransomware, disrupt critical business operations, or use the compromised server as a foothold to launch further attacks across the internal network. Since NIM servers are central to OS installation and system management, their compromise could lead to a widespread and catastrophic breach of the entire AIX environment.

Immediate Action:

• Apply the security updates provided by IBM to all affected AIX and VIOS systems immediately.
• Prioritize patching for NIM servers that are accessible from less trusted networks.
• After patching, review system and application logs for any signs of compromise that may have occurred before the patch was applied.

Proactive Monitoring:

• Monitor network traffic for unusual connections to the NIM service ports (typically TCP/3901 and TCP/3902).
• Review system audit logs for unexpected processes being spawned by the nimesis daemon or any unusual command execution by the root user.
• Implement security information and event management (SIEM) rules to alert on anomalous activity originating from or targeting NIM servers.

Compensating Controls:

• If patching cannot be performed immediately, restrict network access to the NIM server's ports (TCP/3901, 3902) using a firewall. Access should be limited strictly to trusted IP addresses of systems that require NIM services.
• Deploy a network Intrusion Prevention System (IPS) with rules to detect and block potential exploitation attempts against this vulnerability.
• Ensure system auditing is enabled on all NIM servers to log command execution and process creation.

Public Exploit Available: false

Given the critical CVSS score of 10.0, this vulnerability poses a severe and immediate threat to the organization. We strongly recommend that all affected IBM AIX and VIOS NIM servers are patched on an emergency basis. Although this CVE is not currently listed on the CISA KEV list, its severity makes it a prime candidate for future inclusion. If immediate patching is not feasible, the compensating controls listed above must be implemented without delay to reduce the attack surface and mitigate the risk of a full system compromise.