EUVD-2025-209174

| CVE-2025-36373 MEDIUM
2026-04-01 ibm GHSA-6hwx-hvw3-r56g
4.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Apr 01, 2026 - 21:15 euvd
EUVD-2025-209174
Analysis Generated
Apr 01, 2026 - 21:15 vuln.today
Patch Released
Apr 01, 2026 - 21:15 nvd
Patch available
CVE Published
Apr 01, 2026 - 20:47 nvd
MEDIUM 4.1

Tags

IBM Information Disclosure

Description

IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway could disclose sensitive system information from other domains to an administrative user.

Analysis

IBM DataPower Gateway versions 10.6CD (10.6.1.0-10.6.5.0), 10.5.0 (10.5.0.0-10.5.0.20), and 10.6.0 (10.6.0.0-10.6.0.8) disclose sensitive system information from other domains to authenticated administrative users due to improper access control. The vulnerability requires high-privilege administrative access over the network and results in confidentiality impact only; no public exploit code or active exploitation has been confirmed. CVSS 4.1 reflects low real-world risk due to authentication requirement, though patch availability limits exposure window.

Technical Context

This vulnerability stems from CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), indicating that the DataPower Gateway application fails to enforce proper domain isolation or information access boundaries at the administrative interface level. DataPower Gateway is IBM's API and XML gateway appliance used for protocol transformation and security in enterprise SOA/microservices environments. The flaw allows an authenticated admin user to access sensitive metadata or configuration details belonging to other administrative domains that should be segregated. The cross-domain nature (Scope:Changed in CVSS) suggests the vulnerability impacts the confidentiality of information outside the immediate security boundary of the attacker's administrative domain.

Affected Products

IBM DataPower Gateway 10.6CD versions 10.6.1.0 through 10.6.5.0, IBM DataPower Gateway 10.5.0 versions 10.5.0.0 through 10.5.0.20, and IBM DataPower Gateway 10.6.0 versions 10.6.0.0 through 10.6.0.8 are affected. Refer to IBM support notice at https://www.ibm.com/support/pages/node/7267833 for comprehensive version lists and patch details.

Remediation

Apply the vendor-released patch from IBM via the support notice at https://www.ibm.com/support/pages/node/7267833. Update affected DataPower Gateway instances to patched versions that enforce proper domain isolation and prevent cross-domain information access by administrative users. Interim mitigation: restrict administrative access to DataPower Gateway to trusted personnel and implement network-level controls (IP whitelisting, VPN requirements) to limit administrative console connectivity. Verify domain configurations post-patch to ensure sensitive information remains segregated between administrative domains.

Priority Score

21
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +20
POC: 0

Share

EUVD-2025-209174 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy