CVE-2025-33097 – IBM QRadar SIEM versions 7.5 through 7.5.0 UP12... (How to Fix)

Q: What is the severity of CVE-2025-33097?

CVE-2025-33097 has a CVSS score of 6.4 (MEDIUM). IBM QRadar SIEM versions 7.5 through 7.5.0 UP12 IF02 contain a stored cross-site scripting vulnerability that allows authenticated users to inject malicious JavaScript into the web interface. This could enable attackers to steal credentials or perform unauthorized actions within authenticated sessions. Only authenticated users can exploit this vulnerability.

📋 TL;DR

IBM QRadar SIEM versions 7.5 through 7.5.0 UP12 IF02 contain a stored cross-site scripting vulnerability that allows authenticated users to inject malicious JavaScript into the web interface. This could enable attackers to steal credentials or perform unauthorized actions within authenticated sessions. Only authenticated users can exploit this vulnerability.

💻 Affected Systems

Products:

IBM QRadar SIEM

Versions: 7.5 through 7.5.0 UP12 IF02

Operating Systems: All supported QRadar platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments within the affected version range are vulnerable. The vulnerability exists in the web UI components.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated malicious insider or compromised account could inject JavaScript that captures administrator credentials, leading to full system compromise and data exfiltration.

🟠

Likely Case

Authenticated attackers could create malicious dashboards or alerts that execute JavaScript in other users' browsers, potentially stealing session tokens or performing unauthorized actions.

🟢

If Mitigated

With proper input validation and output encoding, the JavaScript would be rendered harmless as text rather than executable code.

🌐 Internet-Facing: MEDIUM - While the vulnerability requires authentication, internet-facing QRadar instances could be targeted if credentials are compromised.

🏢 Internal Only: HIGH - Internal authenticated users (including potentially compromised accounts) can exploit this to target other users within the organization.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to the QRadar web interface. The attack involves injecting JavaScript into fields that are then rendered in other users' browsers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply fix as per IBM Security Bulletin

Vendor Advisory: https://www.ibm.com/support/pages/node/7239755

Restart Required: Yes

Instructions:

1. Review IBM Security Bulletin. 2. Apply the recommended fix or upgrade to a non-vulnerable version. 3. Restart QRadar services as required. 4. Verify the fix is applied.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement additional input validation for all user-controllable fields in the QRadar web interface

Content Security Policy

all

Implement strict Content Security Policy headers to limit script execution

🧯 If You Can't Patch

Restrict user permissions to minimum required levels to limit potential attackers
Implement network segmentation to isolate QRadar from other critical systems

🔍 How to Verify

Check if Vulnerable:

Check QRadar version via Admin > System and License Management > Deployment Status. If version is between 7.5 and 7.5.0 UP12 IF02 inclusive, system is vulnerable.

Check Version:

ssh admin@qradar-host 'sudo /opt/qradar/bin/myver -v'

Verify Fix Applied:

After applying IBM's fix, verify the version shows as patched and test that JavaScript injection in user-controllable fields is properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript patterns in QRadar web logs
Multiple failed login attempts followed by successful authentication and UI modifications

Network Indicators:

Unusual outbound connections from QRadar server following user interaction with web interface

SIEM Query:

source="qradar" AND (eventDescription="XSS" OR message CONTAINS "script" OR message CONTAINS "javascript")

📊 Metadata

CVE ID: CVE-2025-33097

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.02% exploit probability (4.9th percentile)

Published: July 15, 2025

Last Updated: August 7, 2025

🔗 References

https://www.ibm.com/support/pages/node/7239755 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-33097, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Input Validation Enhancement

Content Security Policy

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities