CVE-2025-36375

IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.ibm.com/support/pages/node/7268034	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ibm:datapower_gateway::::::::
	cpe:2.3:a:ibm:datapower_gateway::::::::
	cpe:2.3:a:ibm:datapower_gateway:::::continuous_delivery:::*

History

06 Apr 2026, 16:30

Type	Values Removed	Values Added
CPE		cpe:2.3:a:ibm:datapower_gateway:::::::: cpe:2.3:a:ibm:datapower_gateway:::::continuous_delivery:::*
First Time		Ibm datapower Gateway Ibm
References	~~() https://www.ibm.com/support/pages/node/7268034 -~~	() https://www.ibm.com/support/pages/node/7268034 - Vendor Advisory

01 Apr 2026, 23:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-01 23:17

Updated : 2026-04-06 16:30

NVD link : CVE-2025-36375

Mitre link : CVE-2025-36375

CVE.ORG link : CVE-2025-36375

JSON object : View

Products Affected

ibm

datapower_gateway

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2025-36375", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@us.ibm.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-04-01T23:17:01.323", "references": [{"url": "https://www.ibm.com/support/pages/node/7268034", "tags": ["Vendor Advisory"], "source": "psirt@us.ibm.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "psirt@us.ibm.com", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts."}], "lastModified": "2026-04-06T16:30:41.043", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:datapower_gateway:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CE32BDC7-B268-4779-A283-F94DCF1433D3", "versionEndExcluding": "10.5.0.21", "versionStartIncluding": "10.5.0.0"}, {"criteria": "cpe:2.3:a:ibm:datapower_gateway:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9036053D-6E1A-4B2F-ACCA-5E3F4443F73E", "versionEndExcluding": "10.6.0.9", "versionStartIncluding": "10.6.0.0"}, {"criteria": "cpe:2.3:a:ibm:datapower_gateway:*:*:*:*:continuous_delivery:*:*:*", "vulnerable": true, "matchCriteriaId": "E75118C5-5C01-404E-B857-56B9D6CA2119", "versionEndExcluding": "10.6.6.0", "versionStartIncluding": "10.6.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@us.ibm.com"}