CVE-2025-36375

Name

IBM DataPower Gateway vulnerable to CSRF

CVSS score

6.5 (Medium)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Product name

IBM DataPower Gateway

Confirmed exploitable versions

10.5.0, 10.6.0, 10.6CD

Researcher

Maciej Włodarczyk & Michał Bartoszuk

Description

IBM DataPower Gateway is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

Timeline

03-10-2025 - Vulnerability reported to vendor
01-04-2026 - Security advisory is published by the vendor

References

https://www.ibm.com/support/pages/node/7268034
https://www.cve.org/CVERecord?id=CVE-2025-36375