CVE-2025-36048
BaseFortify
Publication date: 2025-06-18
Last updated on: 2025-08-13
Assigner: IBM Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | From 5.15.160 (inc) to 5.16 (inc) |
| ibm | webmethods_integration | 10.5 |
| ibm | webmethods_integration | 10.7 |
| ibm | webmethods_integration | 10.11 |
| ibm | webmethods_integration | 10.15 |
| apple | macos | * |
| microsoft | windows | * |
| novell | suse_linux | * |
| redhat | linux | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-250 | The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-36048 is a privilege escalation vulnerability in IBM webMethods Integration Server versions 10.5, 10.7, 10.11, and 10.15. It occurs because a privileged user can execute operations with unnecessary privileges, specifically through the pub.scheduler.addOneTimeTask service, allowing them to gain elevated privileges beyond what is intended. This flaw is classified under CWE-250 (Execution with Unnecessary Privileges). [1]
How can this vulnerability impact me? :
This vulnerability can allow a privileged user to escalate their privileges, potentially leading to unauthorized access or control over sensitive data and system functions. The CVSS score of 7.2 indicates a high impact on confidentiality, integrity, and availability, meaning an attacker could compromise data confidentiality, alter data or system states, and disrupt system availability. [1]
What immediate steps should I take to mitigate this vulnerability?
Apply the fixes provided by IBM starting from IS_10.5_Core_Fix29, IS_10.7_Core_Fix23, IS_10.11_Core_Fix11, and IS_10.15_Core_Fix14 or later. These fixes are available via the IBM webMethods Update Manager. Follow the respective fix readme documentation for proper installation. No workarounds or other mitigations are provided, so applying the official fixes is the recommended immediate step. [1]