The Paradox of Mainframe Security: Most Secure Yet Still Vulnerable

Oct 10, 2025

Sarah Maloney Beckel, CISSP, PMP, is a strategic and visionary technology executive with over two decades of experience. She specializes in enterprise-scale innovation at the intersection of AI, IT/OT, product development, cybersecurity, and infrastructure modernization. Connect with her on LinkedIn.

The most secure system in the world is also vulnerable.

Mainframes remain the backbone of critical infrastructure—but they are not immune to modern threats. Some still see mainframes as unbreakable fortresses, while others view them as legacy systems lagging in modern defenses. Both views contain truth. The challenge now is balancing proven resilience with today’s demands for transparency and proactive risk reduction.Bad actors are a reality, and mainframes are a real target. However, opinions about the security of mainframes fall into two categories. One side consists of those who believe mainframes are the most secure system in the world. The other group argues that mainframes have all the same security issues and are just as vulnerable as other technologies. Can these two seemingly opposing views be true? Yes, it turns out.

From vendor advisories and Common Vulnerabilities and Exposures (CVE) disclosures to the growing push for software and hardware transparency, the landscape is shifting. Understanding how issues are reported, patched, and communicated is critical for a proactive defense.

It’s worth noting that most security issues and vulnerabilities would be resolved if we all just followed good cyber hygiene. . The NetPI 2025 Mainframe Security Report noted, “Almost everything we find in our (penetration) testing is preventable through proper configuration and management. The question is really about how much effort and attention organizations want to dedicate to securing these critical environments.”  But in the meantime, enterprises must act to protect their mainframe critical infrastructure and data.

This article describes today’s mainframe security practices: what’s working, where the gaps remain, and why modern supply chain tools like Software Bill of Materials (SBOM) and Hardware Bill of Materials (HBOM) are becoming part of the conversation.

Product Security Process

IBM reports the global average data breach costs USD 4.4 million in 2025.

Major mainframe vendors such as IBM, Broadcom, and BMC maintain “Product Security Incident Response Teams” (PSIRTs). These are the first line of communication when vulnerabilities surface.

Once identified, vendors issue advisories through these PSIRTs. The advisories drive the patching process, which is typically delivered as Program Temporary Fixes (PTFs). Unlike commodity IT systems, mainframes don’t follow a predictable “Patch Tuesday” cycle. Instead, updates depend on vendor bulletins and delivery through System Modification Program/Extended, or SMP/E.

Mainframe vulnerabilities are tracked like any other system, through CVEs. Two recent examples in Table 1 highlight the risks and the response process.

In one example, IBM Db2 for z/OS disclosed a denial-of-service vulnerability (CVE-2025-1000), which was mitigated with a PTF. Meanwhile, open-source Zowe patched an HTTP request smuggling issue in July 2025 (CVE-2025-41235).

CVE ID Component Severity Key Impact Mitigation Status
CVE-2025-1000 IBM Db2 for z/OS (client connection) Medium (~5.3) Denial of service via resource exhaustion during rerouting Patch available from IBM (PTF/APAR)
CVE-2025-41235 Zowe (Spring Cloud Gateway) High (~8.6) HTTP request smuggling via X-Forwarded-* header misuse Fixed in Zowe v2.18.2 (July 2025 release)

Table 1: CVE Examples for Mainframe

While CVEs are consistently documented, they’re often buried in vendor-specific channels. Few people have the time to wade through webpages looking to fix issues they don’t know exist. Integration into enterprise vulnerability platforms is still uneven, leaving many security teams dependent on manual monitoring or custom connectors.

SBOM and HBOM: Transparency in the Supply Chain

Historically, mainframe teams rarely considered software provenance. Patches and fixes came from trusted vendors, and that was the end of it. But the SolarWinds breach and other high-profile supply chain attacks changed the conversation.

According to IBM, the global average cost of a data breach in 2025 is USD 4.4 million. The good news is that this is a 9% decrease over last year, mainly driven by faster identification and containment. 

Now, software bill of materials (SBOMs) are becoming required, driven by U.S. federal mandates like Executive Order 14028. SBOMs are increasingly included in mainframe-related products, especially open-source efforts like Zowe.

Proving the integrity of both software and hardware supply chains is a significant step toward security resilience.

An SBOM acts like an ingredient list, showing every open-source library, module, and dependency baked into a product. For mainframes, enterprises can see not just the IBM or Broadcom components they expect, but also the smaller, open-source pieces that could introduce vulnerabilities.

Hardware Bills of Materials (HBOMs) also exist, but are less common. They are currently limited to firmware and cryptographic modules under standards like FIPS 140-3.

While SBOMs and HBOMs adoption is slowly increasing, their existence nonetheless aligns the mainframe ecosystem with the transparency standards already in place for cloud and distributed systems. Proving the integrity of both software and hardware supply chains is a significant step toward security resilience.

Secure by Design and Secure by Default

Mainframes embody many principles of secure architecture, but they also carry legacy baggage. Here’s where they shine and where they lag:

Strengths

  • Isolation and Reliability: Logical partitions (LPARs) and hypervisors enforce strong separation.
  • Access Control: RACF, ACF2, and Top Secret provide granular least-privilege enforcement.
  • Hardware Crypto: Crypto Express cards, validated to FIPS standards, deliver built-in encryption.
  • Uptime and Integrity: Journaling, auditing, and rollback guarantee secure failure modes.
  • Vendor Patch Discipline: Structured patching pipelines (PTFs/APARs) support long-term stability.

Weaknesses

  • Default Configurations: Systems sometimes ship with permissive RACF defaults or legacy interfaces.
  • Legacy Cryptography: DES, 3DES, and SHA-1 remain enabled in some environments.
  • Multi-Factor Authentication: Adoption lags despite available options.
  • SIEM Integration: System Management Facility (SMF) logs are robust but often siloed.
  • DevSecOps Practices: Automation and cloud-native integration trail modern ecosystems.

Compared against secure-by-design principles, mainframes score high in defense-in-depth, secure update mechanisms, and resilience (See Table 2). But, attack surface reduction and transparency (SBOM adoption) remain in progress.

Principle Mainframe Strengths (Secure-by-Design) Gaps (Secure-by-Default Challenges)
Defense in Depth LPAR isolation, crypto hardware, OS-level security managers
Least Privilege RACF, ACF2, and Top Secret enforce granular access Default user groups still permissive on install
Secure Update Mechanisms Mature patch and PTF/APAR pipeline Manual application of fixes required
Secure Failure Modes Built-in journaling, rollback, and recovery Limited automation for modern SIEM alerting
Transparency & SBOM SBOM adoption growing (Zowe, open-source) Inconsistent vendor documentation
Attack Surface Reduction Hardware segmentation, controlled APIs Legacy protocols (FTP, TN3270) often still active
Resilience by Design High availability and redundancy Optional hardening features not default-enabled

Table 2: Mainframe Alignment with Top Secure-by-Design Principles

The biggest impact to reducing  mainframe vulnerabilities, may be “Secure-by-default.” Security is available in mainframe systems today, but implementing it is optional, left to each organization.  Vendors and operators alike should shift to models where security is the baseline,enabled by default and verified continuously.Instead of turning on the security options, the organization must turn them off. There’s evidence that default opt-ins work in other areas, such as automatically enrolling employees in company-sponsored retirement plans to increase participation. Ultimately, lasting mainframe resilience depends on embracing ‘Secure-by-Default’ principles.

The Next Era of Mainframe Security

Mainframes continue to deliver on their reputation for resiliency and strong security fundamentals. However, the surrounding ecosystem has  gaps in how CVEs are shared, patches are managed, and SBOMs and HBOMs are adopted.

The next era of mainframe security will depend on how quickly mainframe systems embrace the same supply chain and DevSecOps standards reshaping the rest of IT. It’s time for modern mainframes to catch up and keep up.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Sign up to receive the latest mainframe information

This field is for validation purposes and should be left unchanged.

Read More

A Breakthrough in Mainframe Storage Efficiency

A Breakthrough in Mainframe Storage Efficiency

Broadcom has delivered a first in mainframe storage with the Virtual Storage Adapter (VSA) enhancement to CA 1™ Flexible Storage™. This new feature lets you have your cake and eat it too – achieve high-performance virtual tape storage without the traditionally higher...

Time to Rethink Db2 Disaster Recovery

Time to Rethink Db2 Disaster Recovery

For a long time, disaster recovery (DR) in Db2 z/OS environments was mostly about getting systems back online after a major outage. Whether it was a hardware failure, a data center problem, or a natural disaster, the focus was on full system recovery, bringing the...