IBM has issued a critical security bulletin for its Common Cryptographic Architecture (CCA), a core component that interfaces with IBM’s Hardware Security Module (HSM), in response to CVE-2025-13375, which carries a CVSS score of 9.8 and allows unauthenticated attackers to execute arbitrary commands with elevated privileges.
According to IBM, the flaw affects specific versions of the CCA software running on IBM 4769 and 4770 cryptographic coprocessors, with CCA 7 MTM for 4769 at version 7.5.52 and CCA 8 MTM for 4770 at version 8.4.82, along with the IBM 4769 Developers Toolkit version 7.5.52. Fixed versions have been released: 7.5.53 for CCA 7 MTM 4769 and 8.4.84 for CCA 8 MTM 4770, with firmware levels detailed as segment-1, segment-2 and segment-3 updates.
For IBM i users, the fix involves applying specific PTFs for the IBM CCA Service Provider and Cryptographic Device Manager, depending on OS release (7.3 through 7.6). IBM notes the blast radius covers platforms including IBM AIX, IBM i, IBM PowerLinux and Linux on Intel x86, and urges customers to patch immediately to prevent unauthorized command execution.