Analysis Summary

IBM QRadar SIEM has been found vulnerable to multiple high-severity flaws, the most critical being CVE-2025-33117, which carries a CVSS score of high. This vulnerability allows privileged users to upload malicious autoupdate files that can execute arbitrary commands, enabling full control over the affected system. It is classified under CWE-73: External Control of File Name or Path, and its CVSS vector (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) indicates it is network-exploitable with low complexity, though it requires elevated privileges. Its scope change (S:C) means exploitation can affect broader system resources beyond the vulnerable component, posing a serious risk to enterprise environments where QRadar manages mission-critical security data.

In addition to the file path vulnerability, IBM disclosed two more serious issues. CVE-2025-33121 is an XML External Entity (XXE) injection flaw categorized under CWE-611, with a CVSS score of high. It enables authenticated users to exploit the XML parser to gain access to sensitive information or consume system memory using specially crafted XML data. The third issue, CVE-2025-36050, involves logging sensitive data inappropriately, falling under CWE-532. With a CVSS score of medium, it allows local users, even without authentication, to retrieve sensitive information directly from system log files, making internal data exposure a serious concern.

All three vulnerabilities affect IBM QRadar SIEM versions 7.5 through 7.5.0 UP12 IF01. Given the critical impact, especially from CVE-2025-33117, IBM strongly urges all customers to upgrade to version 7.5.0 UP12 IF02, which contains the official patches. IBM has provided no workarounds or mitigation steps, meaning that applying the update is the only effective defense.

These vulnerabilities demonstrate how internal privilege mismanagement, insecure file handling, and improper data storage practices can severely undermine the security of SIEM infrastructures. Exploitation of any of these flaws could lead to system compromise, data breaches, or loss of confidentiality. Organizations relying on QRadar for threat detection and monitoring must treat this advisory with urgency and prioritize patch deployment to maintain operational integrity and prevent exploitation in the wild.

Impact

• Gain Access
• Information Disclosure

Indicators of Compromise

CVE

• CVE-2025-33117

• CVE-2025-33121

• CVE-2025-36050

Affected Vendors

Remediation

• Refer to the IBM Security Advisory for patch, upgrade, or suggested workaround information.
• Restrict administrative access to only trusted and authorized personnel to reduce the risk of exploitation by privileged users.
• Review system logs and audit trails for any suspicious activity or unauthorized configuration changes, especially related to file uploads and autoupdate features.
• Harden local system access by limiting user privileges and monitoring local log file access to prevent data leakage via CVE-2025-36050.
• Enable network-level protections, such as intrusion detection/prevention systems (IDS/IPS), to monitor for any signs of abnormal XML processing or file path manipulation.
• Educate internal users and administrators about the risks of XXE attacks and best practices for secure XML handling.
• Verify the patch application by checking the product version post-update to ensure the system is running 7.5.0 UP12 IF02.
• Disable or monitor autoupdate mechanisms temporarily until the patch is applied to prevent abuse of the update process.