CVE-2025-36072 (GCVE-0-2025-36072)
Vulnerability from cvelistv5
Published
2025-11-20 22:09
Modified
2025-11-21 15:51
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-502 - Deserialization of Untrusted Data
Summary
IBM webMethods Integration 10.11 through 10.11_Core_Fix22, 10.15 through 10.15_Core_Fix22, and 11.1 through 11.1_Core_Fix6 IBM webMethods Integration allow an authenticated user to execute arbitrary code on the system, caused by the deserialization of untrusted object graphs data.
References
Impacted products
Vendor Product Version
IBM webMethods Integration Version: 10.11    10.11_Core_Fix22
Version: 10.15    10.15_Core_Fix22
Version: 11.1    11.1_Core_Fix6
    cpe:2.3:a:ibm:webmethods_integration:10.11:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:webmethods_integration:10.11:Core_Fix22:*:*:*:*:*:*
    cpe:2.3:a:ibm:webmethods_integration:10.15:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:webmethods_integration:10.15:Core_Fix22:*:*:*:*:*:*
    cpe:2.3:a:ibm:webmethods_integration:11.1:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:webmethods_integration:11.1:Core_Fix6:*:*:*:*:*:*
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-36072",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-21T15:51:46.532751Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-21T15:51:57.885Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:ibm:webmethods_integration:10.11:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:webmethods_integration:10.11:Core_Fix22:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:webmethods_integration:10.15:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:webmethods_integration:10.15:Core_Fix22:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:webmethods_integration:11.1:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:webmethods_integration:11.1:Core_Fix6:*:*:*:*:*:*"
          ],
          "product": "webMethods Integration",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "10.11_Core_Fix22",
              "status": "affected",
              "version": "10.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.15_Core_Fix22",
              "status": "affected",
              "version": "10.15",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "11.1_Core_Fix6",
              "status": "affected",
              "version": "11.1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIBM webMethods Integration 10.11 through 10.11_Core_Fix22, 10.15 through 10.15_Core_Fix22, and 11.1 through 11.1_Core_Fix6 IBM webMethods Integration allow an authenticated user to execute arbitrary code on the system, caused by the deserialization of untrusted object graphs data.\u003c/p\u003e"
            }
          ],
          "value": "IBM webMethods Integration 10.11 through 10.11_Core_Fix22, 10.15 through 10.15_Core_Fix22, and 11.1 through 11.1_Core_Fix6 IBM webMethods Integration allow an authenticated user to execute arbitrary code on the system, caused by the deserialization of untrusted object graphs data."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-20T22:09:42.477Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://www.ibm.com/support/pages/node/7252090"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eRemediation/Fixes IBM strongly recommends addressing the vulnerability now by applying the mentioned core fixes or later core fixes for the affected versions and following the respective readme document. IS_10.11_Core_Fix23 or later IS_10.15_Core_Fix23 or later IS_11.1_Core_Fix7 or later Fixes can be downloaded and installed via IBM webMethods Update Manager. Refer to How to Download webMethods Software ( https://www.ibm.com/support/pages/node/7232491)\u003c/p\u003e"
            }
          ],
          "value": "Remediation/Fixes IBM strongly recommends addressing the vulnerability now by applying the mentioned core fixes or later core fixes for the affected versions and following the respective readme document. IS_10.11_Core_Fix23 or later IS_10.15_Core_Fix23 or later IS_11.1_Core_Fix7 or later Fixes can be downloaded and installed via IBM webMethods Update Manager. Refer to How to Download webMethods Software ( https://www.ibm.com/support/pages/node/7232491)"
        }
      ],
      "title": "IBM webMethods Integration Deserialization",
      "x_generator": {
        "engine": "ibm-cvegen"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2025-36072",
    "datePublished": "2025-11-20T22:09:42.477Z",
    "dateReserved": "2025-04-15T21:16:13.121Z",
    "dateUpdated": "2025-11-21T15:51:57.885Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-36072\",\"sourceIdentifier\":\"psirt@us.ibm.com\",\"published\":\"2025-11-20T23:15:51.527\",\"lastModified\":\"2025-11-21T15:13:13.800\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"IBM webMethods Integration 10.11 through 10.11_Core_Fix22, 10.15 through 10.15_Core_Fix22, and 11.1 through 11.1_Core_Fix6 IBM webMethods Integration allow an authenticated user to execute arbitrary code on the system, caused by the deserialization of untrusted object graphs data.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@us.ibm.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"psirt@us.ibm.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"references\":[{\"url\":\"https://www.ibm.com/support/pages/node/7252090\",\"source\":\"psirt@us.ibm.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-36072\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-11-21T15:51:46.532751Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-11-21T15:51:54.032Z\"}}], \"cna\": {\"title\": \"IBM webMethods Integration Deserialization\", \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:ibm:webmethods_integration:10.11:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:webmethods_integration:10.11:Core_Fix22:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:webmethods_integration:10.15:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:webmethods_integration:10.15:Core_Fix22:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:webmethods_integration:11.1:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:webmethods_integration:11.1:Core_Fix6:*:*:*:*:*:*\"], \"vendor\": \"IBM\", \"product\": \"webMethods Integration\", \"versions\": [{\"status\": \"affected\", \"version\": \"10.11\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"10.11_Core_Fix22\"}, {\"status\": \"affected\", \"version\": \"10.15\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"10.15_Core_Fix22\"}, {\"status\": \"affected\", \"version\": \"11.1\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"11.1_Core_Fix6\"}]}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Remediation/Fixes IBM strongly recommends addressing the vulnerability now by applying the mentioned core fixes or later core fixes for the affected versions and following the respective readme document. IS_10.11_Core_Fix23 or later IS_10.15_Core_Fix23 or later IS_11.1_Core_Fix7 or later Fixes can be downloaded and installed via IBM webMethods Update Manager. Refer to How to Download webMethods Software ( https://www.ibm.com/support/pages/node/7232491)\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eRemediation/Fixes IBM strongly recommends addressing the vulnerability now by applying the mentioned core fixes or later core fixes for the affected versions and following the respective readme document. IS_10.11_Core_Fix23 or later IS_10.15_Core_Fix23 or later IS_11.1_Core_Fix7 or later Fixes can be downloaded and installed via IBM webMethods Update Manager. Refer to How to Download webMethods Software ( https://www.ibm.com/support/pages/node/7232491)\u003c/p\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.ibm.com/support/pages/node/7252090\", \"tags\": [\"vendor-advisory\", \"patch\"]}], \"x_generator\": {\"engine\": \"ibm-cvegen\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"IBM webMethods Integration 10.11 through 10.11_Core_Fix22, 10.15 through 10.15_Core_Fix22, and 11.1 through 11.1_Core_Fix6 IBM webMethods Integration allow an authenticated user to execute arbitrary code on the system, caused by the deserialization of untrusted object graphs data.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eIBM webMethods Integration 10.11 through 10.11_Core_Fix22, 10.15 through 10.15_Core_Fix22, and 11.1 through 11.1_Core_Fix6 IBM webMethods Integration allow an authenticated user to execute arbitrary code on the system, caused by the deserialization of untrusted object graphs data.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502 Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"9a959283-ebb5-44b6-b705-dcc2bbced522\", \"shortName\": \"ibm\", \"dateUpdated\": \"2025-11-20T22:09:42.477Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-36072\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-21T15:51:57.885Z\", \"dateReserved\": \"2025-04-15T21:16:13.121Z\", \"assignerOrgId\": \"9a959283-ebb5-44b6-b705-dcc2bbced522\", \"datePublished\": \"2025-11-20T22:09:42.477Z\", \"assignerShortName\": \"ibm\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.