プラットフォーム
ibm
コンポーネント
ibm-qradar-suite-software
修正版
1.11.3
1.10.12
CVE-2025-25021 describes a remote code execution (RCE) vulnerability affecting IBM QRadar Suite Software and IBM Cloud Pak for Security. This flaw stems from improper code generation during case management script creation, enabling an attacker to potentially execute arbitrary code with elevated privileges. The vulnerability impacts versions 1.10.0.0 through 1.11.2.0 of QRadar Suite Software and 1.10.0.0 through 1.10.11.0 of Cloud Pak for Security. A fix is available from IBM.
Successful exploitation of CVE-2025-25021 could allow an attacker to gain complete control over the affected QRadar or Cloud Pak for Security system. This could involve data exfiltration, system modification, or the deployment of malicious software. Given QRadar's role in security information and event management (SIEM), a compromise could lead to the attacker gaining visibility into the entire organization's security posture and potentially manipulating security responses. The ability to execute code with privileged access significantly expands the attack surface and increases the potential for lateral movement within the network. This vulnerability shares characteristics with other code injection flaws where improper input validation leads to arbitrary code execution, potentially allowing for persistent backdoor access.
CVE-2025-25021 was publicly disclosed on June 3, 2025. Its inclusion in the NVD is pending. The EPSS score is currently unavailable, but given the RCE nature and potential impact on a critical security tool like QRadar, it is likely to be assessed as medium or high probability. No public proof-of-concept exploits have been released at the time of writing, but the vulnerability's nature makes it a likely target for exploitation.
Organizations heavily reliant on IBM QRadar Suite Software for security monitoring and incident response are particularly at risk. This includes those with complex security environments, extensive log data processing, and potentially those with legacy QRadar deployments that may be slower to patch. Shared hosting environments utilizing QRadar instances are also at increased risk due to potential cross-tenant vulnerabilities.
• linux / server:
journalctl -u qradar | grep -i "case management script"• generic web:
curl -I <qradar_url>/case_management_script_endpoint• database (mysql):
SELECT * FROM scripts WHERE script_type = 'case_management' AND script_content LIKE '%malicious_code%';disclosure
エクスプロイト状況
EPSS
0.16% (37% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-25021 is to upgrade to a patched version of IBM QRadar Suite Software or IBM Cloud Pak for Security as soon as possible. IBM has released updates to address this vulnerability; refer to their security advisory for specific version details. If immediate patching is not feasible, consider implementing temporary workarounds such as restricting access to the case management script creation functionality and carefully reviewing any newly created scripts for suspicious code. While not a complete solution, restricting user permissions and implementing strict input validation on script parameters can reduce the attack surface. After upgrading, verify the fix by attempting to create a case management script with potentially malicious code and confirming that it is properly sanitized and does not execute.
Actualice IBM QRadar Suite Software a una versión posterior a 1.11.2.0 o IBM Cloud Pak for Security a una versión posterior a 1.10.11.0. Consulte el advisory de IBM para obtener más detalles e instrucciones específicas.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-25021 is a remote code execution vulnerability in IBM QRadar Suite Software versions 1.10.0.0–1.11.2.0 and IBM Cloud Pak for Security 1.10.0.0–1.10.11.0, allowing attackers to execute code through improper code generation in case management scripts.
If you are using IBM QRadar Suite Software versions 1.10.0.0 through 1.11.2.0 or IBM Cloud Pak for Security versions 1.10.0.0 through 1.10.11.0, you are potentially affected by this vulnerability.
The recommended fix is to upgrade to a patched version of IBM QRadar Suite Software or IBM Cloud Pak for Security as soon as possible. Refer to the official IBM security advisory for specific version details.
No public proof-of-concept exploits have been released, but the vulnerability's nature suggests it is a likely target for exploitation.
Please refer to the official IBM Security Bulletin for CVE-2025-25021. The specific URL will be available on the IBM Security Support website.