Analysis Summary

IBM has disclosed multiple critical vulnerabilities in its QRadar Suite Software and Cloud Pak for Security, posing a serious threat to enterprise security infrastructures. The most severe of these, CVE-2025-25022, carries a CVSS score of High and allows unauthenticated attackers with adjacent network access to retrieve highly sensitive configuration files. This vulnerability is linked to CWE-260: Password in Configuration File, where weak access controls permit exposure of critical system data, including passwords and internal configurations. The associated CVSS vector indicates potential for high impact across confidentiality, integrity, and availability, all with low attack complexity.

The vulnerabilities affect IBM Cloud Pak for Security versions 1.10.0.0 through 1.10.11.0 and QRadar Suite Software versions 1.10.12.0 through 1.11.2.0. Due to the nature of the attack vector, adjacent network access, even partial breaches in network perimeters, could enable attackers to leverage this flaw for privilege escalation and broader system compromise. This puts organizations relying on QRadar SIEM for security monitoring and incident response at elevated risk, as attackers gaining access to sensitive configuration files could map out or manipulate entire security infrastructures.

In addition to CVE-2025-25022, IBM identified four other vulnerabilities impacting QRadar’s security. CVE-2025-25021, a code injection flaw rated high, allows privileged users to execute arbitrary code due to insufficient control over script generation (CWE-94). CVE-2025-25019 relates to session persistence issues, allowing potential user impersonation through unexpired sessions (CWE-613). CVE-2025-25020 affects API input validation, opening the door to denial-of-service (DoS) attacks (CWE-1287), while CVE-2025-1334 involves browser cache vulnerabilities (CWE-525) that could let local users access sensitive cached data.

IBM strongly urges all affected organizations to upgrade to version 1.11.3.0 or later, as no workarounds or temporary mitigations have been made available. The company has provided detailed remediation steps through the Cloud Pak for Security documentation portal. This advisory underscores the importance of timely patch management and access control hygiene, especially for critical security infrastructure platforms. The vulnerabilities were discovered by IBM’s internal security team. Organizations are advised to prioritize patching CVE-2025-25022 while addressing the remaining issues to restore a secure operating posture.

Impact

• Denial of Service
• Gain Access
• Code Execution
• Information Disclosure
• Privilege Escalation

Indicators of Compromise

CVE

• CVE-2025-25022

• CVE-2025-25021

• CVE-2025-1334

• CVE-2025-25020

• CVE-2025-25019

Affected Vendors

Remediation

• Refer to the IBM Security Advisory for patch, upgrade, or suggested workaround information.
• Use IBM’s Cloud Pak for Security documentation portal to access detailed installation and upgrade instructions.
• IBM has not released any temporary fixes or mitigations; upgrading is the only effective protection.
• Address this critical vulnerability first due to its unauthenticated access risk and high CVSS score of high.
• After upgrading, verify system integrity and access controls to ensure that sensitive configuration files are properly secured.
• Ensure that user sessions expire appropriately to prevent exploitation of CVE-2025-25019.
• Limit privileged access and review case management scripts to mitigate risks related to CVE-2025-25021.
• Apply stricter validation checks to API inputs to prevent potential DoS attacks from CVE-2025-25020.