{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-36375", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2025-04-15T21:16:56.325Z", "datePublished": "2026-04-01T22:50:51.697Z", "dateUpdated": "2026-04-03T13:56:04.937Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-04-01T22:50:51.697Z"}, "title": "IBM DataPower Gateway vulnerable to CSRF", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "affected": [{"vendor": "IBM", "product": "DataPower Gateway 10.6CD", "versions": [{"status": "affected", "version": "10.6.1.0", "lessThanOrEqual": "10.6.5.0", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:datapower_gateway_106cd:10.6.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:datapower_gateway_106cd:10.6.5.0:*:*:*:*:*:*:*"]}, {"vendor": "IBM", "product": "DataPower Gateway 10.5.0", "versions": [{"status": "affected", "version": "10.5.0.0", "lessThanOrEqual": "10.5.0.20", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:datapower_gateway_1050:10.5.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:datapower_gateway_1050:10.5.0.20:*:*:*:*:*:*:*"]}, {"vendor": "IBM", "product": "DataPower Gateway 10.6.0", "versions": [{"status": "affected", "version": "10.6.0.0", "lessThanOrEqual": "10.6.0.8", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:datapower_gateway_1060:10.6.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:datapower_gateway_1060:10.6.0.8:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.</p>"}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7268034", "tags": ["vendor-advisory", "patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}}], "solutions": [{"lang": "en", "value": "Affected Product(s)Fixed in VersionFix linkIBM DataPower Gateway 10.6CD 10.6.1.0 - 10.6.5.010.6.6.0 Installation and Upgrade 10.6.x https://www.ibm.com/docs/en/datapower-gateway/10.6.x IBM DataPower Gateway 10.6.0\u00a0 10.6.0.0 - 10.6.0.810.6.0.9 Installation and Upgrade 10.6.0 https://www.ibm.com/docs/en/datapower-gateway/10.6.0 IBM DataPower Gateway 10.5.0\u00a0 10.5.0.0 - 10.5.0.2010.5.0.21 Installation and Upgrade 10.5.0 https://www.ibm.com/docs/en/datapower-gateway/10.5.0 \n\nIBM strongly recommends upgrading to a fixed version", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<div><br><table><tbody><tr><td>Affected Product(s)</td><td>Fixed in Version</td><td>Fix link</td></tr><tr><td>IBM DataPower Gateway 10.6CD 10.6.1.0 - 10.6.5.0</td><td>10.6.6.0</td><td><a href=\"https://www.ibm.com/docs/en/datapower-gateway/10.6.x?topic=overview-release-notes#relnotes__install__title__1\" rel=\"nofollow\">Installation and Upgrade 10.6.x</a></td></tr><tr><td>IBM DataPower Gateway 10.6.0&nbsp; 10.6.0.0 - 10.6.0.8</td><td>10.6.0.9</td><td><a href=\"https://www.ibm.com/docs/en/datapower-gateway/10.6.0?topic=overview-release-notes#relnotes__install__title__1\" rel=\"nofollow\">Installation and Upgrade 10.6.0</a></td></tr><tr><td>IBM DataPower Gateway 10.5.0&nbsp; 10.5.0.0 - 10.5.0.20</td><td>10.5.0.21</td><td><a href=\"https://www.ibm.com/docs/en/datapower-gateway/10.5.0?topic=overview-release-notes#relnotes__install__title__1\" rel=\"nofollow\">Installation and Upgrade 10.5.0</a></td></tr></tbody></table></div><p>IBM strongly recommends upgrading to a fixed version</p>"}]}], "x_generator": {"engine": "ibm-cvegen"}, "credits": [{"lang": "en", "value": "Acknowledgement This vulnerability was reported to IBM by Maciej W\u0142odarczyk & Micha\u0142 Bartoszuk @ STM Cyber.", "type": "finder"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-36375", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T13:45:08.878992Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:56:04.937Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-36375", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T13:45:08.878992Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:49:32.435Z"}}], "cna": {"title": "IBM DataPower Gateway vulnerable to CSRF", "credits": [{"lang": "en", "type": "finder", "value": "Acknowledgement This vulnerability was reported to IBM by Maciej W\u0142odarczyk & Micha\u0142 Bartoszuk @ STM Cyber."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:ibm:datapower_gateway_106cd:10.6.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:datapower_gateway_106cd:10.6.5.0:*:*:*:*:*:*:*"], "vendor": "IBM", "product": "DataPower Gateway 10.6CD", "versions": [{"status": "affected", "version": "10.6.1.0", "versionType": "semver", "lessThanOrEqual": "10.6.5.0"}]}, {"cpes": ["cpe:2.3:a:ibm:datapower_gateway_1050:10.5.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:datapower_gateway_1050:10.5.0.20:*:*:*:*:*:*:*"], "vendor": "IBM", "product": "DataPower Gateway 10.5.0", "versions": [{"status": "affected", "version": "10.5.0.0", "versionType": "semver", "lessThanOrEqual": "10.5.0.20"}]}, {"cpes": ["cpe:2.3:a:ibm:datapower_gateway_1060:10.6.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:datapower_gateway_1060:10.6.0.8:*:*:*:*:*:*:*"], "vendor": "IBM", "product": "DataPower Gateway 10.6.0", "versions": [{"status": "affected", "version": "10.6.0.0", "versionType": "semver", "lessThanOrEqual": "10.6.0.8"}]}], "solutions": [{"lang": "en", "value": "Affected Product(s)Fixed in VersionFix linkIBM DataPower Gateway 10.6CD 10.6.1.0 - 10.6.5.010.6.6.0 Installation and Upgrade 10.6.x https://www.ibm.com/docs/en/datapower-gateway/10.6.x IBM DataPower Gateway 10.6.0\u00a0 10.6.0.0 - 10.6.0.810.6.0.9 Installation and Upgrade 10.6.0 https://www.ibm.com/docs/en/datapower-gateway/10.6.0 IBM DataPower Gateway 10.5.0\u00a0 10.5.0.0 - 10.5.0.2010.5.0.21 Installation and Upgrade 10.5.0 https://www.ibm.com/docs/en/datapower-gateway/10.5.0 \n\nIBM strongly recommends upgrading to a fixed version", "supportingMedia": [{"type": "text/html", "value": "<div><br><table><tbody><tr><td>Affected Product(s)</td><td>Fixed in Version</td><td>Fix link</td></tr><tr><td>IBM DataPower Gateway 10.6CD 10.6.1.0 - 10.6.5.0</td><td>10.6.6.0</td><td><a href=\"https://www.ibm.com/docs/en/datapower-gateway/10.6.x?topic=overview-release-notes#relnotes__install__title__1\" rel=\"nofollow\">Installation and Upgrade 10.6.x</a></td></tr><tr><td>IBM DataPower Gateway 10.6.0&nbsp; 10.6.0.0 - 10.6.0.8</td><td>10.6.0.9</td><td><a href=\"https://www.ibm.com/docs/en/datapower-gateway/10.6.0?topic=overview-release-notes#relnotes__install__title__1\" rel=\"nofollow\">Installation and Upgrade 10.6.0</a></td></tr><tr><td>IBM DataPower Gateway 10.5.0&nbsp; 10.5.0.0 - 10.5.0.20</td><td>10.5.0.21</td><td><a href=\"https://www.ibm.com/docs/en/datapower-gateway/10.5.0?topic=overview-release-notes#relnotes__install__title__1\" rel=\"nofollow\">Installation and Upgrade 10.5.0</a></td></tr></tbody></table></div><p>IBM strongly recommends upgrading to a fixed version</p>", "base64": false}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7268034", "tags": ["vendor-advisory", "patch"]}], "x_generator": {"engine": "ibm-cvegen"}, "descriptions": [{"lang": "en", "value": "IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.", "supportingMedia": [{"type": "text/html", "value": "<p>IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-04-01T22:50:51.697Z"}}}, "cveMetadata": {"cveId": "CVE-2025-36375", "state": "PUBLISHED", "dateUpdated": "2026-04-03T13:56:04.937Z", "dateReserved": "2025-04-15T21:16:56.325Z", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "datePublished": "2026-04-01T22:50:51.697Z", "assignerShortName": "ibm"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts."}], "id": "CVE-2025-36375", "lastModified": "2026-04-03T16:10:52.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "psirt@us.ibm.com", "type": "Primary"}]}, "published": "2026-04-01T23:17:01.323", "references": [{"source": "psirt@us.ibm.com", "url": "https://www.ibm.com/support/pages/node/7268034"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "psirt@us.ibm.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.5.0.0,10.5.0.20]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "DataPower Gateway 10.5.0", "source": "cna", "vendor": "IBM"}, "product": "datapower_gateway_1050", "vendor": "ibm"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.6.0.0,10.6.0.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "DataPower Gateway 10.6.0", "source": "cna", "vendor": "IBM"}, "product": "datapower_gateway_1060", "vendor": "ibm"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.6.1.0,10.6.5.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "DataPower Gateway 10.6CD", "source": "cna", "vendor": "IBM"}, "product": "datapower_gateway_106cd", "vendor": "ibm"}], "analysis": {"en": {"generated_at": "2026-04-02T03:07:33.838771+00:00", "value": {"mitigation_remediation": ["Identify the exact version of IBM DataPower Gateway currently installed on your infrastructure.", "Access IBM\u2019s official documentation site and download the appropriate fixed release for that product version (for example, 10.6.5.0 fixes are available for 10.6.0 and 10.6CD and 10.5.0 is fixed by 10.5.0.21).", "Follow IBM\u2019s installation and upgrade instructions to apply the patch or incorporate the new firmware, ensuring the appliance restarts if necessary."], "summary": {"action": "Patch Now", "impact": "Cross\u2011Site Request Forgery enabling unauthorized actions on IBM DataPower Gateway"}, "threat_synthesis": {"affected_systems": "Affected products include IBM DataPower Gateway 10.5.0 versions 10.5.0.0 through 10.5.0.20, 10.6.0 versions 10.6.0.0 through 10.6.0.8, and 10.6CD versions 10.6.1.0 through 10.6.5.0. All other releases beyond the specified ranges are believed to be unaffected.", "description_and_impact": "IBM DataPower Gateway is vulnerable to a cross\u2011site request forgery flaw that allows an adversary to send crafted requests which the gateway will process using the privileges of an authenticated user. This can result in unauthorized configuration changes, command execution, or other privileged actions that compromise the integrity of the appliance and expose confidential data flowing through it.", "risk_and_exploitability": "The vulnerability carries a moderate severity rating. No publicly published probability metrics are available, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. Typical exploitation would involve a user with administrative access being tricked into submitting malicious requests, such as via a compromised web page or social engineering. Successful exploitation grants the attacker the same rights as the authenticated user, allowing a range of unauthorized actions."}}}}, "created": "2026-04-02T07:47:06.907233+00:00", "updated": "2026-04-02T20:16:05.233456+00:00", "vendors": ["ibm", "ibm$PRODUCT$datapower_gateway_1050", "ibm$PRODUCT$datapower_gateway_1060", "ibm$PRODUCT$datapower_gateway_106cd"]}