Skip to main content

IBM CVE-2025-36373

| EUVD-2025-209174 MEDIUM
Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497)
2026-04-01 ibm GHSA-6hwx-hvw3-r56g
Information Disclosure IBM
4.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Apr 01, 2026 - 21:15 euvd
EUVD-2025-209174
Analysis Generated
Apr 01, 2026 - 21:15 vuln.today
Patch released
Apr 01, 2026 - 21:15 nvd
Patch available
CVE Published
Apr 01, 2026 - 20:47 nvd
MEDIUM 4.1

DescriptionNVD

IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway could disclose sensitive system information from other domains to an administrative user.

AnalysisAI

IBM DataPower Gateway versions 10.6CD (10.6.1.0-10.6.5.0), 10.5.0 (10.5.0.0-10.5.0.20), and 10.6.0 (10.6.0.0-10.6.0.8) disclose sensitive system information from other domains to authenticated administrative users due to improper access control. The vulnerability requires high-privilege administrative access over the network and results in confidentiality impact only; no public exploit code or active exploitation has been confirmed. CVSS 4.1 reflects low real-world risk due to authentication requirement, though patch availability limits exposure window.

Technical ContextAI

This vulnerability stems from CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), indicating that the DataPower Gateway application fails to enforce proper domain isolation or information access boundaries at the administrative interface level. DataPower Gateway is IBM's API and XML gateway appliance used for protocol transformation and security in enterprise SOA/microservices environments. The flaw allows an authenticated admin user to access sensitive metadata or configuration details belonging to other administrative domains that should be segregated. The cross-domain nature (Scope:Changed in CVSS) suggests the vulnerability impacts the confidentiality of information outside the immediate security boundary of the attacker's administrative domain.

RemediationAI

Apply the vendor-released patch from IBM via the support notice at https://www.ibm.com/support/pages/node/7267833. Update affected DataPower Gateway instances to patched versions that enforce proper domain isolation and prevent cross-domain information access by administrative users. Interim mitigation: restrict administrative access to DataPower Gateway to trusted personnel and implement network-level controls (IP whitelisting, VPN requirements) to limit administrative console connectivity. Verify domain configurations post-patch to ensure sensitive information remains segregated between administrative domains.

More from same product – last 7 days

CVE-2026-7524 CRITICAL
9.8 May 27

Remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.1 lets unauthenticated network attackers run arbitr
CVE-2026-8175 CRITICAL
9.8 May 27

Remote code execution and authentication bypass are possible in IBM Aspera High-Speed Transfer Server and High-Speed Tra
CVE-2026-7876 CRITICAL
9.1 May 27

Authentication bypass in IBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I) versions 1.5.1 throu
CVE-2026-5065 HIGH
8.8 May 27

Hard-coded credentials in IBM Controller (versions 11.0.1, 11.1.0, 11.1.1, and 11.1.2) give attackers a static, embedded
CVE-2026-8179 HIGH
8.8 May 27

Arbitrary code execution in IBM Aspera High-Speed Transfer Server and Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1)

Share

CVE-2025-36373 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy