CVE-2025-36170

Q: What is the severity of CVE-2025-36170?

CVE-2025-36170 has a CVSS score of 6.4 (MEDIUM). IBM QRadar SIEM versions 7.5 through 7.5.0 Update Pack 13 Independent Fix 02 contain a stored cross-site scripting vulnerability. Authenticated users can inject malicious JavaScript into the web interface, potentially stealing credentials or performing unauthorized actions within trusted sessions. This affects organizations using vulnerable QRadar deployments.

6.4 MEDIUM

Cross-Site Scripting

📋 TL;DR

IBM QRadar SIEM versions 7.5 through 7.5.0 Update Pack 13 Independent Fix 02 contain a stored cross-site scripting vulnerability. Authenticated users can inject malicious JavaScript into the web interface, potentially stealing credentials or performing unauthorized actions within trusted sessions. This affects organizations using vulnerable QRadar deployments.

💻 Affected Systems

Products:

IBM QRadar SIEM

Versions: 7.5 through 7.5.0 Update Pack 13 Independent Fix 02

Operating Systems: All supported QRadar platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the QRadar web interface. All default configurations are vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker could steal administrator credentials, gain full system control, pivot to other systems, and maintain persistent access to the SIEM environment.

🟠

Likely Case

An authenticated user with malicious intent could steal session cookies or credentials from other users, potentially escalating privileges within the QRadar environment.

🟢

If Mitigated

With proper input validation and output encoding, the attack would fail to execute malicious scripts, limiting impact to data display issues.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access and knowledge of vulnerable input fields. The attacker needs to craft and inject malicious JavaScript payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply IBM QRadar SIEM 7.5.0 Update Pack 14 or later

Vendor Advisory: https://www.ibm.com/support/pages/node/7249278

Restart Required: No

Instructions:

1. Download Update Pack 14 or later from IBM Fix Central. 2. Follow IBM's QRadar update documentation. 3. Apply the update to all QRadar components. 4. Verify successful installation through the QRadar admin interface.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement additional input validation and output encoding for user-supplied data in custom QRadar applications

🧯 If You Can't Patch

Implement strict access controls to limit authenticated users who can modify web interface content
Deploy a web application firewall (WAF) with XSS protection rules in front of QRadar

🔍 How to Verify

Check if Vulnerable:

Check QRadar version via Admin > System & License Management > Deployment Status. If version is between 7.5 and 7.5.0 UP13 IF02, system is vulnerable.

Check Version:

ssh admin@qradar-host 'sudo /opt/qradar/bin/myver -v'

Verify Fix Applied:

Verify version shows 7.5.0 Update Pack 14 or later in the Deployment Status page. Test previously vulnerable input fields for script execution.

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript payloads in QRadar application logs
Multiple failed XSS attempts in web server logs
Suspicious user activity patterns in authentication logs

Network Indicators:

Unusual outbound connections from QRadar server following web interface interactions
Suspicious HTTP requests containing script tags or JavaScript functions

SIEM Query:

SELECT * FROM events WHERE (category = 'WEB_APPLICATION' OR category = 'AUTHENTICATION') AND (payload CONTAINS '<script>' OR payload CONTAINS 'javascript:' OR payload CONTAINS 'onload=' OR payload CONTAINS 'onerror=')

📊 Metadata

CVE ID: CVE-2025-36170

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (10.6th percentile)

Published: October 27, 2025

Last Updated: December 15, 2025

🔗 References

https://www.ibm.com/support/pages/node/7249278 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Input Validation Enhancement

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities