MEDIUMCVE-2025-36375CVSS 6.5

CVE-2025-36375: CSRF in IBM DataPower Gateway

Platform

ibm

Component

datapower-gateway

Fixed in

10.6.6

10.5.1

10.6.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2025-36375 describes a cross-site request forgery (CSRF) vulnerability affecting IBM DataPower Gateway. This flaw allows an attacker to potentially execute malicious and unauthorized actions on behalf of a trusted user. The vulnerability impacts versions 10.5.0.0 through 10.6.5.0, as well as 10.6.0.0 through 10.6.0.8. IBM has advised upgrading to a patched version to address this security concern.

Impact and Attack Scenarios

A successful CSRF attack could allow an attacker to perform actions as a legitimate user of the DataPower Gateway, potentially leading to unauthorized configuration changes, data manipulation, or even complete system compromise. The attacker would need to trick a user into clicking a malicious link or visiting a crafted webpage. The impact is amplified if the DataPower Gateway is used to manage sensitive data or control critical infrastructure, as an attacker could leverage this vulnerability to gain broader access and control. This vulnerability shares similarities with other CSRF exploits, where user actions are unknowingly hijacked.

Exploitation Context

CVE-2025-36375 was published on 2026-04-01. The EPSS score is pending evaluation. No public proof-of-concept (POC) exploits are currently known. Monitor IBM security advisories and security news sources for any updates on exploitation activity. This vulnerability is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.02% (4% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impactpartial

CVSS Vector

Affected Software

Componentdatapower-gateway

VendorIBM

Affected rangeFixed in

10.6.1.0 – 10.6.5.010.6.6

10.5.0.0 – 10.5.0.2010.5.1

10.6.0.0 – 10.6.0.810.6.1

Weakness Classification (CWE)

CWE-352

Timeline

Reserved2025-04-15
Published2026-04-01
Modified2026-04-03
EPSS updated2026-04-09

Unpatched — 53 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2025-36375 is to upgrade to a fixed version of IBM DataPower Gateway. IBM has not yet released a specific fixed version, so monitor IBM security advisories for updates. As an interim measure, implement a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Consider adding stricter input validation and output encoding to prevent the injection of malicious scripts. Regularly review and audit DataPower Gateway configurations to identify and address potential vulnerabilities.

How to fix

Update IBM DataPower Gateway to a version that is not vulnerable to CSRF. See the IBM advisory for more details and specific update instructions.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-36375 — CSRF in IBM DataPower Gateway?

CVE-2025-36375 is a cross-site request forgery (CSRF) vulnerability affecting IBM DataPower Gateway versions 10.5.0.0–10.6.5.0, allowing attackers to perform unauthorized actions.

Am I affected by CVE-2025-36375 in IBM DataPower Gateway?

If you are running IBM DataPower Gateway versions 10.5.0.0 through 10.6.5.0 or 10.6.0.0 through 10.6.0.8, you are potentially affected by this vulnerability.

How do I fix CVE-2025-36375 in IBM DataPower Gateway?

Upgrade to a fixed version of IBM DataPower Gateway as soon as it becomes available. Until then, implement WAF rules and stricter input validation.

Is CVE-2025-36375 being actively exploited?

Currently, there are no confirmed reports of active exploitation, but it's crucial to implement mitigations proactively.

Where can I find the official IBM advisory for CVE-2025-36375?

Refer to the official IBM Security Bulletin for CVE-2025-36375 on the IBM Security Support website.

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Search CVEs

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: None — no confidentiality impact. Attacker cannot read protected data.
Integrity: High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability: None — no availability impact. Service remains fully operational.