Skip to main content

IBM CVE-2025-36375

| EUVD-2025-209176 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-04-01 ibm GHSA-558v-r8m2-hmjm
CSRF IBM
6.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Apr 01, 2026 - 23:16 euvd
EUVD-2025-209176
Analysis Generated
Apr 01, 2026 - 23:16 vuln.today
Patch released
Apr 01, 2026 - 23:16 nvd
Patch available
CVE Published
Apr 01, 2026 - 22:50 nvd
MEDIUM 6.5

DescriptionNVD

IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

AnalysisAI

IBM DataPower Gateway versions 10.5.0.0-10.5.0.20, 10.6.0.0-10.6.0.8, and 10.6.1.0-10.6.5.0 are vulnerable to cross-site request forgery (CSRF) that allows unauthenticated remote attackers to execute unauthorized actions on behalf of trusted users with user interaction. The vulnerability carries a CVSS score of 6.5 with medium real-world risk due to the requirement for user interaction and the integrity-only impact.

Technical ContextAI

The vulnerability is rooted in CWE-352 (Cross-Site Request Forgery), a web security flaw where an attacker crafts a malicious request and tricks a legitimate user into executing it against a trusted application. In DataPower Gateway, the absence of or improper validation of anti-CSRF tokens (such as synchronizer tokens or SameSite cookie attributes) enables an attacker to forge requests that modify gateway configuration, policies, or other administrative functions. The affected products (CPE: cpe:2.3:a:ibm:datapower_gateway_10.5.0:*:*:*:*:*:*:*:*, cpe:2.3:a:ibm:datapower_gateway_10.6.0:*:*:*:*:*:*:*:*, cpe:2.3:a:ibm:datapower_gateway_10.6cd:*:*:*:*:*:*:*:*) are enterprise API management and integration platforms where CSRF protection is critical because they often manage sensitive security policies and integrations.

RemediationAI

Vendor-released patch available per IBM security advisory. Organizations should upgrade to patched versions of IBM DataPower Gateway 10.5.0 (beyond 10.5.0.20), 10.6.0 (beyond 10.6.0.8), or 10.6CD (beyond 10.6.5.0) as directed by IBM's advisory at https://www.ibm.com/support/pages/node/7268034. As an interim control, restrict administrative access to DataPower Gateway to trusted networks or require multi-factor authentication to reduce the risk that compromised credentials or social engineering can lead to unauthorized actions. Additionally, educate administrators to avoid clicking links from untrusted sources while authenticated to the gateway.

More from same product – last 7 days

CVE-2026-7524 CRITICAL
9.8 May 27

Remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.1 lets unauthenticated network attackers run arbitr
CVE-2026-8175 CRITICAL
9.8 May 27

Remote code execution and authentication bypass are possible in IBM Aspera High-Speed Transfer Server and High-Speed Tra
CVE-2026-7876 CRITICAL
9.1 May 27

Authentication bypass in IBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I) versions 1.5.1 throu
CVE-2026-5065 HIGH
8.8 May 27

Hard-coded credentials in IBM Controller (versions 11.0.1, 11.1.0, 11.1.1, and 11.1.2) give attackers a static, embedded
CVE-2026-8179 HIGH
8.8 May 27

Arbitrary code execution in IBM Aspera High-Speed Transfer Server and Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1)

Share

CVE-2025-36375 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy