CVE-2025-36114
📋 TL;DR
IBM QRadar SOAR Plugin App versions 1.0.0 through 5.6.0 contain a directory traversal vulnerability that allows remote attackers to read arbitrary files on the system by sending specially crafted URL requests containing directory traversal sequences (/../). This affects organizations using vulnerable versions of the IBM QRadar SOAR Plugin App.
💻 Affected Systems
- IBM QRadar SOAR Plugin App
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive system files, configuration files, credentials, or other critical data, potentially leading to full system compromise.
Likely Case
Attackers would read configuration files, logs, or other sensitive data that could be used for further attacks or information gathering.
If Mitigated
With proper network segmentation and access controls, impact would be limited to files accessible by the application's service account.
🎯 Exploit Status
Exploitation requires sending specially crafted HTTP requests but does not require authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 5.6.1 or later
Vendor Advisory: https://www.ibm.com/support/pages/node/7242664
Restart Required: No
Instructions:
1. Access IBM QRadar SOAR administration console. 2. Navigate to plugin management. 3. Update IBM QRadar SOAR Plugin App to version 5.6.1 or later. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to the IBM QRadar SOAR Plugin App to only trusted IP addresses and networks.
Web Application Firewall Rules
allImplement WAF rules to block HTTP requests containing directory traversal sequences (/../, ..\, etc.).
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the vulnerable system from untrusted networks.
- Deploy a web application firewall with rules specifically blocking directory traversal patterns.
🔍 How to Verify
Check if Vulnerable:
Check the IBM QRadar SOAR Plugin App version in the administration console. If version is between 1.0.0 and 5.6.0 inclusive, the system is vulnerable.Check Version:
Check version via IBM QRadar SOAR administration console under plugin management.Verify Fix Applied:
Verify the IBM QRadar SOAR Plugin App version is 5.6.1 or later in the administration console.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing /../ sequences
- Unusual file access patterns from the plugin application
- Failed attempts to access restricted files
Network Indicators:
- HTTP requests with directory traversal patterns to the plugin endpoint
- Unusual outbound data transfers following traversal attempts
SIEM Query:
source="web_logs" AND (url="*../*" OR url="*..\\*" OR url="*%2e%2e%2f*") AND dest_ip="[QRadar_SOAR_IP]"