Skip to main content

IBM FTM SWIFT EUVDEUVD-2025-209929

| CVE-2025-36148 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-26 ibm GHSA-cg84-6rpp-59j4
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 12:45 vuln.today

DescriptionCVE.org

IBM Financial Transaction Manager for SWIFT Services for Multiplatforms 3.2.4.0 through 3.2.4.15 IBM Financial Transaction Manager SWIFT is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

AnalysisAI

Cross-site scripting in IBM Financial Transaction Manager for SWIFT Services for Multiplatforms versions 3.2.4.0 through 3.2.4.15 permits injection of arbitrary JavaScript into the Web UI, creating a pathway to credential disclosure within an authenticated operator's session. The Changed Scope (S:C) in the CVSS vector confirms the injected script executes in the victim's browser beyond the originating application boundary, elevating real-world impact in a SWIFT financial messaging context. No public exploit has been identified and EPSS stands at 0.05% (16th percentile), reflecting low immediate exploitation probability, though a discrepancy between the CVE description characterizing the attacker as unauthenticated and the CVSS PR:L vector warrants vendor clarification before finalizing risk posture.

Technical ContextAI

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting), reflecting a failure to sanitize or encode attacker-controlled input before it is rendered in an HTML context within the IBM FTM Web UI. The affected software is confirmed by CPE string cpe:2.3:a:ibm:financial_transaction_manager_for_swift_services_for_multiplatforms:*:*:*:*:*:*:*:* as IBM Financial Transaction Manager for SWIFT Services for Multiplatforms, a platform used by financial institutions for SWIFT payment messaging operations. The CVSS Changed Scope (S:C) flag is technically significant: it indicates the script injected into the FTM Web UI executes in the victim's browser session outside the FTM application's own security boundary, enabling access to cookies, session tokens, or page content belonging to the victim - consistent with stored or reflected XSS patterns that target privileged operator sessions in transaction management systems.

RemediationAI

IBM has released a patch per the vendor advisory at https://www.ibm.com/support/pages/node/7272275; however, the specific patched version number is not present in the available intelligence data - administrators must consult the IBM advisory directly to identify and obtain the target release. As a compensating control pending patching, restricting access to the FTM Web UI to trusted internal network segments or VPN-only endpoints reduces exposure to external or semi-trusted actors, though this constraint limits remote administrative workflows. Deploying web application firewall rules that filter common XSS payload patterns on FTM Web UI endpoints provides additional defense-in-depth, with the trade-off that aggressive WAF rules may trigger false positives on legitimate form submissions within the transaction management interface. In environments where the Web UI is accessible to low-privileged or unauthenticated users, temporarily suspending such access until patching is complete is advisable given the SWIFT credential disclosure risk.

Share

EUVD-2025-209929 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy