CVE-2025-36373

Name

Incorrect administrative access control in IBM DataPower Gateway

CVSS score

4.1 (Medium)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

Product name

IBM DataPower Gateway

Confirmed exploitable versions

10.5.0, 10.6.0, 10.6CD

Researcher

Michał Bartoszuk & Maciej Włodarczyk

Description

In IBM DataPower Gateway 10.6.0.5, a vulnerability was discovered that allows a user to access information about all services in all domains, although their access is restricted to only one domain.
Successful exploitation require access to the low-privileged user with read access.

Timeline

03-10-2025 - Vulnerability reported to vendor
01-04-2026 - Security advisory is published by the vendor

References

https://www.ibm.com/support/pages/node/7267833
https://www.cve.org/CVERecord?id=CVE-2025-36373