{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-36202", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2025-04-15T21:16:38.691Z", "datePublished": "2025-09-22T15:14:44.349Z", "dateUpdated": "2025-09-22T15:42:51.190Z"}, "containers": {"cna": {"affected": [{"cpes": ["cpe:2.3:a:ibm:webmethods:10.15:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:webmethods:11.1:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "product": "webMethods Integration", "vendor": "IBM", "versions": [{"status": "affected", "version": "10.15"}, {"status": "affected", "version": "11.1"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Rob Maslen"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "IBM webMethods Integration 10.15 and 11.1 could allow an authenticated user with required execute Services to execute commands on the system due to the improper validation of format string strings passed as an argument from an external source."}], "value": "IBM webMethods Integration 10.15 and 11.1 could allow an authenticated user with required execute Services to execute commands on the system due to the improper validation of format string strings passed as an argument from an external source."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-134", "description": "CWE-134 Use of Externally-Controlled Format String", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2025-09-22T15:14:44.349Z"}, "references": [{"tags": ["vendor-advisory", "patch"], "url": "https://www.ibm.com/support/pages/node/7245720"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>IBM strongly recommends addressing the vulnerability now by applying the mentioned core fixes or later core fixes for the affected versions and following the respective readme document.</p><p>IS_10.15_Core_Fix22 or later<br>IS_11.1_Core_Fix6 or later</p><p>Fixes can be downloaded and installed via IBM webMethods Update Manager. Refer to How to Download webMethods Software (<a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7232491%29\">https://www.ibm.com/support/pages/node/7232491)</a></p>\n\n<br>"}], "value": "IBM strongly recommends addressing the vulnerability now by applying the mentioned core fixes or later core fixes for the affected versions and following the respective readme document.\n\nIS_10.15_Core_Fix22 or later\nIS_11.1_Core_Fix6 or later\n\nFixes can be downloaded and installed via IBM webMethods Update Manager. Refer to How to Download webMethods Software ( https://www.ibm.com/support/pages/node/7232491) https://www.ibm.com/support/pages/node/7232491%29"}], "source": {"discovery": "UNKNOWN"}, "title": "IBM webMethods Integration code execution", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-22T15:42:36.375502Z", "id": "CVE-2025-36202", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-22T15:42:51.190Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-36202", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-09-22T15:42:36.375502Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-22T15:42:42.158Z"}}], "cna": {"title": "IBM webMethods Integration code execution", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Rob Maslen"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:ibm:webmethods:10.15:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:webmethods:11.1:*:*:*:*:*:*:*"], "vendor": "IBM", "product": "webMethods Integration", "versions": [{"status": "affected", "version": "10.15"}, {"status": "affected", "version": "11.1"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "IBM strongly recommends addressing the vulnerability now by applying the mentioned core fixes or later core fixes for the affected versions and following the respective readme document.\n\nIS_10.15_Core_Fix22 or later\nIS_11.1_Core_Fix6 or later\n\nFixes can be downloaded and installed via IBM webMethods Update Manager. Refer to How to Download webMethods Software ( https://www.ibm.com/support/pages/node/7232491) https://www.ibm.com/support/pages/node/7232491%29", "supportingMedia": [{"type": "text/html", "value": "<p>IBM strongly recommends addressing the vulnerability now by applying the mentioned core fixes or later core fixes for the affected versions and following the respective readme document.</p><p>IS_10.15_Core_Fix22 or later<br>IS_11.1_Core_Fix6 or later</p><p>Fixes can be downloaded and installed via IBM webMethods Update Manager. Refer to How to Download webMethods Software (<a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7232491%29\">https://www.ibm.com/support/pages/node/7232491)</a></p>\n\n<br>", "base64": false}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7245720", "tags": ["vendor-advisory", "patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "IBM webMethods Integration 10.15 and 11.1 could allow an authenticated user with required execute Services to execute commands on the system due to the improper validation of format string strings passed as an argument from an external source.", "supportingMedia": [{"type": "text/html", "value": "IBM webMethods Integration 10.15 and 11.1 could allow an authenticated user with required execute Services to execute commands on the system due to the improper validation of format string strings passed as an argument from an external source.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-134", "description": "CWE-134 Use of Externally-Controlled Format String"}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2025-09-22T15:14:44.349Z"}}}, "cveMetadata": {"cveId": "CVE-2025-36202", "state": "PUBLISHED", "dateUpdated": "2025-09-22T15:42:51.190Z", "dateReserved": "2025-04-15T21:16:38.691Z", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "datePublished": "2025-09-22T15:14:44.349Z", "assignerShortName": "ibm"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "IBM webMethods Integration 10.15 and 11.1 could allow an authenticated user with required execute Services to execute commands on the system due to the improper validation of format string strings passed as an argument from an external source."}], "id": "CVE-2025-36202", "lastModified": "2025-09-22T16:15:43.263", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "psirt@us.ibm.com", "type": "Primary"}]}, "published": "2025-09-22T16:15:43.263", "references": [{"source": "psirt@us.ibm.com", "url": "https://www.ibm.com/support/pages/node/7245720"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-134"}], "source": "psirt@us.ibm.com", "type": "Primary"}]}

{}