CVE-2025-36376 – IBM Security QRadar EDR versions 3.12 through 3... (How to Fix)

Q: What is the severity of CVE-2025-36376?

CVE-2025-36376 has a CVSS score of 6.3 (MEDIUM). IBM Security QRadar EDR versions 3.12 through 3.12.23 fail to properly invalidate sessions after expiration, allowing authenticated users to impersonate other users. This affects organizations using vulnerable QRadar EDR deployments where multiple users access the system.

📋 TL;DR

IBM Security QRadar EDR versions 3.12 through 3.12.23 fail to properly invalidate sessions after expiration, allowing authenticated users to impersonate other users. This affects organizations using vulnerable QRadar EDR deployments where multiple users access the system.

💻 Affected Systems

Products:

IBM Security QRadar EDR

Versions: 3.12 through 3.12.23

Operating Systems: Not OS-specific

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments within the affected version range are vulnerable regardless of configuration.

📦 What is this software?

Security Qradar Edr by Ibm

View all CVEs affecting Security Qradar Edr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated malicious insider could impersonate an administrator, gaining full system control to exfiltrate sensitive data, modify configurations, or disrupt operations.

🟠

Likely Case

An authenticated user could impersonate another user with higher privileges to access unauthorized data or perform unauthorized actions within their session scope.

🟢

If Mitigated

With proper session management controls and monitoring, impact is limited to potential unauthorized access within the authenticated user's existing session constraints.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires an authenticated user session and knowledge of session management flaws.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.12.24 or later

Vendor Advisory: https://www.ibm.com/support/pages/node/7260390

Restart Required: Yes

Instructions:

1. Download IBM Security QRadar EDR version 3.12.24 or later from IBM Fix Central. 2. Follow IBM's upgrade documentation for your deployment type. 3. Restart QRadar EDR services after upgrade completion.

🔧 Temporary Workarounds

Enforce Session Timeout Policies

all

Configure shorter session timeout values and ensure proper session invalidation mechanisms are enforced.

🧯 If You Can't Patch

Implement strict access controls and monitoring for user sessions
Enforce multi-factor authentication for all administrative accounts

🔍 How to Verify

Check if Vulnerable:

Check QRadar EDR version via web interface or command line. If version is between 3.12 and 3.12.23 inclusive, system is vulnerable.

Check Version:

Check web interface About page or consult IBM documentation for version query commands specific to your deployment.

Verify Fix Applied:

Verify version is 3.12.24 or later and test session expiration behavior.

📡 Detection & Monitoring

Log Indicators:

Multiple simultaneous sessions from same user account
Session activity continuing beyond configured timeout periods
Unusual privilege escalation patterns in audit logs

Network Indicators:

Abnormal session duration patterns in authentication logs

SIEM Query:

source="qradar_edr" AND (event_type="session_activity" AND session_duration > 3600) OR (user_privilege_change WITHOUT admin_action)

📊 Metadata

CVE ID: CVE-2025-36376

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-613

Published: February 17, 2026

Last Updated: February 20, 2026

🔗 References

https://www.ibm.com/support/pages/node/7260390 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-36376, you might also want to check these: