The most secure system in the world is also vulnerable.
Mainframes remain the backbone of critical infrastructure—but they are not immune to modern threats. Some still see mainframes as unbreakable fortresses, while others view them as legacy systems lagging in modern defenses. Both views contain truth. The challenge now is balancing proven resilience with today’s demands for transparency and proactive risk reduction.Bad actors are a reality, and mainframes are a real target. However, opinions about the security of mainframes fall into two categories. One side consists of those who believe mainframes are the most secure system in the world. The other group argues that mainframes have all the same security issues and are just as vulnerable as other technologies. Can these two seemingly opposing views be true? Yes, it turns out.
From vendor advisories and Common Vulnerabilities and Exposures (CVE) disclosures to the growing push for software and hardware transparency, the landscape is shifting. Understanding how issues are reported, patched, and communicated is critical for a proactive defense.
It’s worth noting that most security issues and vulnerabilities would be resolved if we all just followed good cyber hygiene. . The NetPI 2025 Mainframe Security Report noted, “Almost everything we find in our (penetration) testing is preventable through proper configuration and management. The question is really about how much effort and attention organizations want to dedicate to securing these critical environments.” But in the meantime, enterprises must act to protect their mainframe critical infrastructure and data.
This article describes today’s mainframe security practices: what’s working, where the gaps remain, and why modern supply chain tools like Software Bill of Materials (SBOM) and Hardware Bill of Materials (HBOM) are becoming part of the conversation.
Product Security Process
IBM reports the global average data breach costs USD 4.4 million in 2025.
Major mainframe vendors such as IBM, Broadcom, and BMC maintain “Product Security Incident Response Teams” (PSIRTs). These are the first line of communication when vulnerabilities surface.
Once identified, vendors issue advisories through these PSIRTs. The advisories drive the patching process, which is typically delivered as Program Temporary Fixes (PTFs). Unlike commodity IT systems, mainframes don’t follow a predictable “Patch Tuesday” cycle. Instead, updates depend on vendor bulletins and delivery through System Modification Program/Extended, or SMP/E.
Mainframe vulnerabilities are tracked like any other system, through CVEs. Two recent examples in Table 1 highlight the risks and the response process.
In one example, IBM Db2 for z/OS disclosed a denial-of-service vulnerability (CVE-2025-1000), which was mitigated with a PTF. Meanwhile, open-source Zowe patched an HTTP request smuggling issue in July 2025 (CVE-2025-41235).
| CVE ID | Component | Severity | Key Impact | Mitigation Status |
|---|---|---|---|---|
| CVE-2025-1000 | IBM Db2 for z/OS (client connection) | Medium (~5.3) | Denial of service via resource exhaustion during rerouting | Patch available from IBM (PTF/APAR) |
| CVE-2025-41235 | Zowe (Spring Cloud Gateway) | High (~8.6) | HTTP request smuggling via X-Forwarded-* header misuse | Fixed in Zowe v2.18.2 (July 2025 release) |
Table 1: CVE Examples for Mainframe
While CVEs are consistently documented, they’re often buried in vendor-specific channels. Few people have the time to wade through webpages looking to fix issues they don’t know exist. Integration into enterprise vulnerability platforms is still uneven, leaving many security teams dependent on manual monitoring or custom connectors.
SBOM and HBOM: Transparency in the Supply Chain
Historically, mainframe teams rarely considered software provenance. Patches and fixes came from trusted vendors, and that was the end of it. But the SolarWinds breach and other high-profile supply chain attacks changed the conversation.
According to IBM, the global average cost of a data breach in 2025 is USD 4.4 million. The good news is that this is a 9% decrease over last year, mainly driven by faster identification and containment.
Now, software bill of materials (SBOMs) are becoming required, driven by U.S. federal mandates like Executive Order 14028. SBOMs are increasingly included in mainframe-related products, especially open-source efforts like Zowe.
Proving the integrity of both software and hardware supply chains is a significant step toward security resilience.
An SBOM acts like an ingredient list, showing every open-source library, module, and dependency baked into a product. For mainframes, enterprises can see not just the IBM or Broadcom components they expect, but also the smaller, open-source pieces that could introduce vulnerabilities.
Hardware Bills of Materials (HBOMs) also exist, but are less common. They are currently limited to firmware and cryptographic modules under standards like FIPS 140-3.
While SBOMs and HBOMs adoption is slowly increasing, their existence nonetheless aligns the mainframe ecosystem with the transparency standards already in place for cloud and distributed systems. Proving the integrity of both software and hardware supply chains is a significant step toward security resilience.
Secure by Design and Secure by Default
Mainframes embody many principles of secure architecture, but they also carry legacy baggage. Here’s where they shine and where they lag:
Strengths
- Isolation and Reliability: Logical partitions (LPARs) and hypervisors enforce strong separation.
- Access Control: RACF, ACF2, and Top Secret provide granular least-privilege enforcement.
- Hardware Crypto: Crypto Express cards, validated to FIPS standards, deliver built-in encryption.
- Uptime and Integrity: Journaling, auditing, and rollback guarantee secure failure modes.
- Vendor Patch Discipline: Structured patching pipelines (PTFs/APARs) support long-term stability.
Weaknesses
- Default Configurations: Systems sometimes ship with permissive RACF defaults or legacy interfaces.
- Legacy Cryptography: DES, 3DES, and SHA-1 remain enabled in some environments.
- Multi-Factor Authentication: Adoption lags despite available options.
- SIEM Integration: System Management Facility (SMF) logs are robust but often siloed.
- DevSecOps Practices: Automation and cloud-native integration trail modern ecosystems.
Compared against secure-by-design principles, mainframes score high in defense-in-depth, secure update mechanisms, and resilience (See Table 2). But, attack surface reduction and transparency (SBOM adoption) remain in progress.
| Principle | Mainframe Strengths (Secure-by-Design) | Gaps (Secure-by-Default Challenges) |
|---|---|---|
| Defense in Depth | LPAR isolation, crypto hardware, OS-level security managers | — |
| Least Privilege | RACF, ACF2, and Top Secret enforce granular access | Default user groups still permissive on install |
| Secure Update Mechanisms | Mature patch and PTF/APAR pipeline | Manual application of fixes required |
| Secure Failure Modes | Built-in journaling, rollback, and recovery | Limited automation for modern SIEM alerting |
| Transparency & SBOM | SBOM adoption growing (Zowe, open-source) | Inconsistent vendor documentation |
| Attack Surface Reduction | Hardware segmentation, controlled APIs | Legacy protocols (FTP, TN3270) often still active |
| Resilience by Design | High availability and redundancy | Optional hardening features not default-enabled |
Table 2: Mainframe Alignment with Top Secure-by-Design Principles
The biggest impact to reducing mainframe vulnerabilities, may be “Secure-by-default.” Security is available in mainframe systems today, but implementing it is optional, left to each organization. Vendors and operators alike should shift to models where security is the baseline,enabled by default and verified continuously.Instead of turning on the security options, the organization must turn them off. There’s evidence that default opt-ins work in other areas, such as automatically enrolling employees in company-sponsored retirement plans to increase participation. Ultimately, lasting mainframe resilience depends on embracing ‘Secure-by-Default’ principles.
The Next Era of Mainframe Security
Mainframes continue to deliver on their reputation for resiliency and strong security fundamentals. However, the surrounding ecosystem has gaps in how CVEs are shared, patches are managed, and SBOMs and HBOMs are adopted.
The next era of mainframe security will depend on how quickly mainframe systems embrace the same supply chain and DevSecOps standards reshaping the rest of IT. It’s time for modern mainframes to catch up and keep up.
0 Comments