CVE-2025-1095

HIGH
Published Apr 8, 2025 Modified Sep 29, 2025 CWE-420

Description

IBM Personal Communications v14 and v15 include a Windows service that is vulnerable to local privilege escalation (LPE). The vulnerability allows any interactively logged in users on the target computer to run commands with full privileges in the context of NT AUTHORITY\SYSTEM. This allows for a low privileged attacker to escalate their privileges. This vulnerability is due to an incomplete fix for CVE-2024-25029.

CVSS v3.1 Score

8.8
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Weakness Type (CWE)

CWE-420 CWE-420

Affected Products

Vendor Product
ibm personal_communications
ibm personal_communications
apple macos
linux linux_kernel
microsoft windows

References

Frequently Asked Questions

What is CVE-2025-1095? +
IBM Personal Communications v14 and v15 include a Windows service that is vulnerable to local privilege escalation (LPE). The vulnerability allows any interactively logged in users on the target computer to run commands with full privileges in the context of NT AUTHORITY\SYSTEM. This allows for a low privileged attacker to escalate their privileges. This vulnerability is due to an incomplete fix for CVE-2024-25029. It has a CVSS v3.1 base score of 8.8 (HIGH).
How severe is CVE-2025-1095? +
CVE-2025-1095 has a CVSS v3.1 score of 8.8 out of 10, rated HIGH. This is a high-severity vulnerability that should be prioritized for patching.
What products are affected by CVE-2025-1095? +
CVE-2025-1095 affects products from apple, ibm, linux, microsoft, specifically: linux_kernel, macos, personal_communications, windows. Check the affected products table above for specific version ranges.
How do I check if I'm vulnerable to CVE-2025-1095? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2024-6242

A vulnerability exists in Rockwell Automation affected products that allows a threat actor to bypass the Trusted® Slot feature in …
CVE-2024-10081 10.0

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass …
CVE-2025-52921 9.9

In Innoshop through 0.4.1, an authenticated attacker could exploit the File Manager functions in the admin panel to achieve code …
CVE-2025-13315 9.8

Twonky Server 8.5.2 on Linux and Windows is vulnerable to an access control flaw. An unauthenticated attacker can bypass web …
CVE-2025-54309 9.0

CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and …
CVE-2025-54351 8.9

In iperf before 3.19.1, net.c has a buffer overflow when --skip-rx-copy is used (for MSG_TRUNC in recv).

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2025-1095 — free, no signup required.

Start Free Scan