Key Findings

• IBM has disclosed a critical vulnerability, CVE-2025-13375, in its Common Cryptographic Architecture (CCA) software with a CVSS score of 9.8.

• The flaw allows unauthenticated attackers to execute arbitrary commands with elevated privileges on the system, exposing the IBM Hardware Security Modules (HSMs).

• The vulnerability affects specific versions of the CCA software running on IBM's 4769 and 4770 cryptographic coprocessors, as well as the IBM i platform.

• The impact is severe, potentially allowing attackers to steal sensitive cryptographic keys and disrupt critical financial or security operations.

Background

The Common Cryptographic Architecture (CCA) is a core component used to interface with IBM's high-security hardware modules, the Hardware Security Modules (HSMs). These devices are designed to safeguard digital keys and encrypt sensitive data, serving as a crucial element in secure transaction processing.

The Vulnerability

CVE-2025-13375 is a vulnerability in the CCA software that could allow an unauthenticated user to execute arbitrary commands with elevated privileges on the system. This effectively gives the attacker control over the cryptographic card and the applications that rely on it.

The vulnerability affects the following specific versions of the CCA software:

• CCA 7 MTM for 4769: Version 7.5.52

• CCA 8 MTM for 4770: Version 8.4.82

• IBM 4769 Developers Toolkit: Version 7.5.52

These systems run on a variety of platforms, including IBM AIX, IBM i, IBM PowerLinux, and Linux on Intel x86, meaning the impact of this vulnerability spans a wide range of enterprise environments.

Impact

The impact of this vulnerability is threefold, affecting the confidentiality, integrity, and availability of both the cryptographic card and the applications that rely on it. In a worst-case scenario, an attacker could steal sensitive cryptographic keys and disrupt critical financial or security operations.

Mitigation

IBM is urging customers to patch immediately by upgrading to the latest firmware levels:

• For CCA 7 MTM for 4769, upgrade to version 7.5.53 (Firmware levels: segment-1: 7.0.80, segment-2: 7.5.53, segment-3: 7.5.53).

• For CCA 8 MTM for 4770, upgrade to version 8.4.84 (Firmware levels: segment-1: 8.0.90, segment-2: 8.4.84, segment-3: 8.4.84).

• For IBM i users, the fix involves applying specific PTFs (Program Temporary Fixes) for the IBM CCA Service Provider and Cryptographic Device Manager, depending on the OS release (7.3 through 7.6).

Administrators responsible for these high-security modules should prioritize this update to prevent unauthorized command execution on their most sensitive infrastructure.

Sources

• https://securityonline.info/cve-2025-13375-critical-ibm-crypto-flaw-cvss-9-8-exposes-hsms/

• https://x.com/__kokumoto/status/2019705305823842350

• https://x.com/the_yellow_fall/status/2019699539591266439