Scan free
MEDIUMCVE-2025-36375CVSS 6.5

CVE-2025-36375: CSRF in IBM DataPower Gateway

Platform

ibm

Component

datapower-gateway

Fixed in

10.6.6

10.5.1

10.6.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2025-36375 describes a cross-site request forgery (CSRF) vulnerability affecting IBM DataPower Gateway. This flaw allows an attacker to potentially execute malicious and unauthorized actions on behalf of a trusted user. The vulnerability impacts versions 10.5.0.0 through 10.6.5.0, as well as 10.6.0.0 through 10.6.0.8. IBM has advised upgrading to a patched version to address this security concern.

Impact and Attack Scenarios

A successful CSRF attack could allow an attacker to perform actions as a legitimate user of the DataPower Gateway, potentially leading to unauthorized configuration changes, data manipulation, or even complete system compromise. The attacker would need to trick a user into clicking a malicious link or visiting a crafted webpage. The impact is amplified if the DataPower Gateway is used to manage sensitive data or control critical infrastructure, as an attacker could leverage this vulnerability to gain broader access and control. This vulnerability shares similarities with other CSRF exploits, where user actions are unknowingly hijacked.

Exploitation Context

CVE-2025-36375 was published on 2026-04-01. The EPSS score is pending evaluation. No public proof-of-concept (POC) exploits are currently known. Monitor IBM security advisories and security news sources for any updates on exploitation activity. This vulnerability is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.02% (4% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N6.5MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentdatapower-gateway
VendorIBM
Affected rangeFixed in
10.6.1.0 – 10.6.5.010.6.6
10.5.0.0 – 10.5.0.2010.5.1
10.6.0.0 – 10.6.0.810.6.1

Weakness Classification (CWE)

CWE-352

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 53 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2025-36375 is to upgrade to a fixed version of IBM DataPower Gateway. IBM has not yet released a specific fixed version, so monitor IBM security advisories for updates. As an interim measure, implement a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Consider adding stricter input validation and output encoding to prevent the injection of malicious scripts. Regularly review and audit DataPower Gateway configurations to identify and address potential vulnerabilities.

How to fix

Update IBM DataPower Gateway to a version that is not vulnerable to CSRF. See the IBM advisory for more details and specific update instructions.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-36375 — CSRF in IBM DataPower Gateway?

CVE-2025-36375 is a cross-site request forgery (CSRF) vulnerability affecting IBM DataPower Gateway versions 10.5.0.0–10.6.5.0, allowing attackers to perform unauthorized actions.

Am I affected by CVE-2025-36375 in IBM DataPower Gateway?

If you are running IBM DataPower Gateway versions 10.5.0.0 through 10.6.5.0 or 10.6.0.0 through 10.6.0.8, you are potentially affected by this vulnerability.

How do I fix CVE-2025-36375 in IBM DataPower Gateway?

Upgrade to a fixed version of IBM DataPower Gateway as soon as it becomes available. Until then, implement WAF rules and stricter input validation.

Is CVE-2025-36375 being actively exploited?

Currently, there are no confirmed reports of active exploitation, but it's crucial to implement mitigations proactively.

Where can I find the official IBM advisory for CVE-2025-36375?

Refer to the official IBM Security Bulletin for CVE-2025-36375 on the IBM Security Support website.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs