CVE-2025-25021 – This vulnerability in IBM QRadar Suite and Clou... (How to Fix)

Q: What is the severity of CVE-2025-25021?

CVE-2025-25021 has a CVSS score of 7.2 (HIGH). This vulnerability in IBM QRadar Suite and Cloud Pak for Security allows privileged users to execute arbitrary code when creating case management scripts due to improper code generation. It affects administrators and users with script creation privileges in affected versions. The issue stems from insufficient input validation in script generation functionality.

📋 TL;DR

This vulnerability in IBM QRadar Suite and Cloud Pak for Security allows privileged users to execute arbitrary code when creating case management scripts due to improper code generation. It affects administrators and users with script creation privileges in affected versions. The issue stems from insufficient input validation in script generation functionality.

💻 Affected Systems

Products:

IBM QRadar Suite Software
IBM Cloud Pak for Security

Versions: QRadar Suite 1.10.12.0 through 1.11.2.0; Cloud Pak for Security 1.10.0.0 through 1.10.11.0

Operating Systems: Linux-based platforms running IBM security software

Default Config Vulnerable: ⚠️ Yes

Notes: Requires privileged access to case management script creation functionality. All default installations within the affected version ranges are vulnerable.

📦 What is this software?

Cloud Pak For Security by Ibm

View all CVEs affecting Cloud Pak For Security →

Qradar Suite by Ibm

View all CVEs affecting Qradar Suite →

⚠️ Risk & Real-World Impact

🔴

Worst Case

A privileged attacker could execute arbitrary code with elevated privileges, potentially gaining complete control of the affected system, accessing sensitive security data, and compromising the entire security monitoring infrastructure.

🟠

Likely Case

A malicious insider or compromised privileged account could execute code to escalate privileges, exfiltrate sensitive security data, or maintain persistence within the security monitoring system.

🟢

If Mitigated

With proper access controls and monitoring, the impact is limited to authorized users who might accidentally trigger the vulnerability, potentially causing service disruption but not full compromise.

🌐 Internet-Facing: LOW - This vulnerability requires privileged access to the administrative interface, which should not be directly exposed to the internet in properly configured environments.

🏢 Internal Only: HIGH - The vulnerability is accessible to internal privileged users, making it a significant risk for insider threats or compromised internal accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - The vulnerability is in script generation functionality that privileged users can access directly.

Exploitation requires authenticated privileged access. No public exploit code has been reported as of the advisory date.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: QRadar Suite 1.11.3.0 and later; Cloud Pak for Security 1.10.12.0 and later

Vendor Advisory: https://www.ibm.com/support/pages/node/7235432

Restart Required: Yes

Instructions:

1. Review IBM advisory for specific upgrade paths. 2. Backup current configuration and data. 3. Apply the security patch or upgrade to the fixed version. 4. Restart affected services. 5. Verify functionality post-upgrade.

🔧 Temporary Workarounds

Restrict Script Creation Privileges

all

Temporarily remove or restrict case management script creation privileges from non-essential users until patching can be completed.

# Review and modify user roles in QRadar/Cloud Pak administration interface
# Remove 'Create Script' or similar permissions from unnecessary accounts

Enhanced Monitoring of Script Activities

all

Implement additional logging and monitoring for all script creation and modification activities.

# Configure audit logging for case management operations
# Set up alerts for unusual script creation patterns

🧯 If You Can't Patch

Implement strict least-privilege access controls for script creation functionality
Deploy network segmentation to isolate affected systems and monitor all administrative access

🔍 How to Verify

Check if Vulnerable:

Check the installed version via the QRadar/Cloud Pak administration interface or by examining the software version files in the installation directory.

Check Version:

# For QRadar: Check /opt/qradar/bin/about.properties or admin interface
# For Cloud Pak: Check deployment configuration or use 'oc get pods' for version info

Verify Fix Applied:

Verify the version is updated to QRadar Suite 1.11.3.0+ or Cloud Pak for Security 1.10.12.0+ and test script creation functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual script creation activities
Multiple script creation attempts by single user
Scripts with suspicious content or patterns

Network Indicators:

Unexpected outbound connections from QRadar/Cloud Pak systems
Unusual administrative access patterns

SIEM Query:

source="qradar" AND (event="Script Created" OR event="Case Management Activity") | stats count by user, src_ip

📊 Metadata

CVE ID: CVE-2025-25021

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

EPSS Score: 0.1% exploit probability (27.3th percentile)

Published: June 3, 2025

Last Updated: August 12, 2025

🔗 References

https://www.ibm.com/support/pages/node/7235432 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-25021, you might also want to check these: