Vulnerabilites related to IBM - webMethods Integration
CVE-2025-36037 (GCVE-0-2025-36037)
Vulnerability from cvelistv5
Published
2025-09-22 15:17
Modified
2025-09-22 15:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
IBM webMethods Integration 10.15 and 11.1
is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.ibm.com/support/pages/node/7245758 | vendor-advisory, patch |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | webMethods Integration |
Version: 10.15 Version: 11.1 cpe:2.3:a:ibm:webmethods:10.15:*:*:*:*:*:*:* cpe:2.3:a:ibm:webmethods:11.1:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36037",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-22T15:40:44.606749Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-22T15:40:55.670Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:webmethods:10.15:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:webmethods:11.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "webMethods Integration",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "10.15"
},
{
"status": "affected",
"version": "11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM webMethods Integration 10.15 and 11.1 \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eis vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.\u003c/span\u003e"
}
],
"value": "IBM webMethods Integration 10.15 and 11.1 \n\nis vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-22T15:17:10.663Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7245758"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM strongly recommends addressing the vulnerability now by applying the mentioned core fixes or later core fixes for the affected versions and following the respective readme document.\u003c/p\u003e\u003cp\u003eIS_10.15_Core_Fix22 or later\u003cbr\u003eIS_11.1_Core_Fix6 or later\u003c/p\u003e\u003cp\u003eFixes can be downloaded and installed via IBM webMethods Update Manager. Refer to How to Download webMethods Software (\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7232491%29\"\u003ehttps://www.ibm.com/support/pages/node/7232491)\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerability now by applying the mentioned core fixes or later core fixes for the affected versions and following the respective readme document.\n\nIS_10.15_Core_Fix22 or later\nIS_11.1_Core_Fix6 or later\n\nFixes can be downloaded and installed via IBM webMethods Update Manager. Refer to How to Download webMethods Software ( https://www.ibm.com/support/pages/node/7232491) https://www.ibm.com/support/pages/node/7232491%29"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM webMethods Integration server-side request forgery",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36037",
"datePublished": "2025-09-22T15:17:10.663Z",
"dateReserved": "2025-04-15T21:16:09.685Z",
"dateUpdated": "2025-09-22T15:40:55.670Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-36202 (GCVE-0-2025-36202)
Vulnerability from cvelistv5
Published
2025-09-22 15:14
Modified
2025-09-22 15:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-134 - Use of Externally-Controlled Format String
Summary
IBM webMethods Integration 10.15 and 11.1 could allow an authenticated user with required execute Services to execute commands on the system due to the improper validation of format string strings passed as an argument from an external source.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.ibm.com/support/pages/node/7245720 | vendor-advisory, patch |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | webMethods Integration |
Version: 10.15 Version: 11.1 cpe:2.3:a:ibm:webmethods:10.15:*:*:*:*:*:*:* cpe:2.3:a:ibm:webmethods:11.1:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36202",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-22T15:42:36.375502Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-22T15:42:51.190Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:webmethods:10.15:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:webmethods:11.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "webMethods Integration",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "10.15"
},
{
"status": "affected",
"version": "11.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rob Maslen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM webMethods Integration 10.15 and 11.1 could allow an authenticated user with required execute Services to execute commands on the system due to the improper validation of format string strings passed as an argument from an external source."
}
],
"value": "IBM webMethods Integration 10.15 and 11.1 could allow an authenticated user with required execute Services to execute commands on the system due to the improper validation of format string strings passed as an argument from an external source."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-134",
"description": "CWE-134 Use of Externally-Controlled Format String",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-22T15:14:44.349Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7245720"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM strongly recommends addressing the vulnerability now by applying the mentioned core fixes or later core fixes for the affected versions and following the respective readme document.\u003c/p\u003e\u003cp\u003eIS_10.15_Core_Fix22 or later\u003cbr\u003eIS_11.1_Core_Fix6 or later\u003c/p\u003e\u003cp\u003eFixes can be downloaded and installed via IBM webMethods Update Manager. Refer to How to Download webMethods Software (\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7232491%29\"\u003ehttps://www.ibm.com/support/pages/node/7232491)\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerability now by applying the mentioned core fixes or later core fixes for the affected versions and following the respective readme document.\n\nIS_10.15_Core_Fix22 or later\nIS_11.1_Core_Fix6 or later\n\nFixes can be downloaded and installed via IBM webMethods Update Manager. Refer to How to Download webMethods Software ( https://www.ibm.com/support/pages/node/7232491) https://www.ibm.com/support/pages/node/7232491%29"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM webMethods Integration code execution",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36202",
"datePublished": "2025-09-22T15:14:44.349Z",
"dateReserved": "2025-04-15T21:16:38.691Z",
"dateUpdated": "2025-09-22T15:42:51.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45074 (GCVE-0-2024-45074)
Vulnerability from cvelistv5
Published
2024-09-04 16:02
Modified
2024-09-04 16:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
IBM webMethods Integration 10.15 could allow an authenticated user to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | webMethods Integration |
Version: 10.15 cpe:2.3:a:softwareag:webmethods:10.15:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45074",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T16:18:05.075398Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T16:18:12.246Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:softwareag:webmethods:10.15:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "webMethods Integration",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "10.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM webMethods Integration 10.15 could allow an authenticated user to traverse directories on the system. An attacker could send a specially crafted URL request containing \"dot dot\" sequences (/../) to view arbitrary files on the system."
}
],
"value": "IBM webMethods Integration 10.15 could allow an authenticated user to traverse directories on the system. An attacker could send a specially crafted URL request containing \"dot dot\" sequences (/../) to view arbitrary files on the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T16:02:16.587Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"url": "https://www.ibm.com/support/pages/node/7167245"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM webMethods Integration directory traversal",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-45074",
"datePublished": "2024-09-04T16:02:16.587Z",
"dateReserved": "2024-08-21T19:10:49.905Z",
"dateUpdated": "2024-09-04T16:18:12.246Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45075 (GCVE-0-2024-45075)
Vulnerability from cvelistv5
Published
2024-09-04 16:01
Modified
2024-09-04 16:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-308 - Use of Single-factor Authentication
Summary
IBM webMethods Integration 10.15 could allow an authenticated user to create scheduler tasks that would allow them to escalate their privileges to administrator due to missing authentication.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | webMethods Integration |
Version: 10.15 cpe:2.3:a:softwareag:webmethods:10.15:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45075",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T16:18:31.427546Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T16:18:41.619Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:softwareag:webmethods:10.15:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "webMethods Integration",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "10.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM webMethods Integration 10.15 could allow an authenticated user to create scheduler tasks that would allow them to escalate their privileges to administrator due to missing authentication."
}
],
"value": "IBM webMethods Integration 10.15 could allow an authenticated user to create scheduler tasks that would allow them to escalate their privileges to administrator due to missing authentication."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-308",
"description": "CWE-308: Use of Single-factor Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T16:01:17.026Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"url": "https://www.ibm.com/support/pages/node/7167245"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM webMethods Integration privilege escalation",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-45075",
"datePublished": "2024-09-04T16:01:17.026Z",
"dateReserved": "2024-08-21T19:10:49.905Z",
"dateUpdated": "2024-09-04T16:18:41.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45076 (GCVE-0-2024-45076)
Vulnerability from cvelistv5
Published
2024-09-04 15:59
Modified
2024-09-04 18:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Summary
IBM webMethods Integration 10.15 could allow an authenticated user to upload and execute arbitrary files which could be executed on the underlying operating system.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | webMethods Integration |
Version: 10.15 cpe:2.3:a:softwareag:webmethods:10.15:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45076",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T18:29:29.552776Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T18:29:57.834Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:softwareag:webmethods:10.15:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "webMethods Integration",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "10.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM webMethods Integration 10.15 could allow an authenticated user to upload and execute arbitrary files which could be executed on the underlying operating system."
}
],
"value": "IBM webMethods Integration 10.15 could allow an authenticated user to upload and execute arbitrary files which could be executed on the underlying operating system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T15:59:07.939Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"url": "https://www.ibm.com/support/pages/node/7167245"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM webMethods Integration code execution",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-45076",
"datePublished": "2024-09-04T15:59:07.939Z",
"dateReserved": "2024-08-21T19:10:49.905Z",
"dateUpdated": "2024-09-04T18:29:57.834Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}