{"api_version":"1","generated_at":"2026-04-23T09:05:38+00:00","cve":"CVE-2025-36373","urls":{"html":"https://cve.report/CVE-2025-36373","api":"https://cve.report/api/cve/CVE-2025-36373.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-36373","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-36373"},"summary":{"title":"Incorrect administrative access control in IBM DataPower Gateway","description":"IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway could disclose sensitive system information from other domains to an administrative user.","state":"PUBLISHED","assigner":"ibm","published_at":"2026-04-01 21:16:57","updated_at":"2026-04-06 16:50:00"},"problem_types":["CWE-497","NVD-CWE-noinfo","CWE-497 CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"6.8","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N","baseScore":6.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"psirt@us.ibm.com","type":"Secondary","score":"4.1","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N","baseScore":4.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"4.1","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.1,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"HIGH","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://www.ibm.com/support/pages/node/7267833","name":"https://www.ibm.com/support/pages/node/7267833","refsource":"psirt@us.ibm.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-36373","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-36373","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"IBM","product":"DataPower Gateway 10.6CD","version":"affected 10.6.1.0 10.6.5.0 semver","platforms":[]},{"source":"CNA","vendor":"IBM","product":"DataPower Gateway 10.5.0","version":"affected 10.5.0.0 10.5.0.20 semver","platforms":[]},{"source":"CNA","vendor":"IBM","product":"DataPower Gateway 10.6.0","version":"affected 10.6.0.0 10.6.0.8 semver","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"Affected Product(s)Fixed in versionFix listIBM DataPower Gateway 10.6CD 10.6.1.0 - 10.6.5.010.6.6.0 Installation and Upgrade 10.6.x https://www.ibm.com/docs/en/datapower-gateway/10.6.x IBM DataPower Gateway 10.5.0.0 - 10.5.0.2010.5.0.21 Installation and Upgrade 10.5.0 https://www.ibm.com/docs/en/datapower-gateway/10.5.0 IBM DataPower Gateway 10.6.0.0 - 10.6.0.810.6.0.9 Installation and Upgrade 10.6.0 https://www.ibm.com/docs/en/datapower-gateway/10.6.0","time":"","lang":"en"}],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Acknowledgement This vulnerability was reported to IBM by Michał Bartoszuk & Maciej Włodarczyk @ STM Cyber.","lang":"en"}],"nvd_cpes":[{"cve_year":"2025","cve_id":"36373","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ibm","cpe5":"datapower_gateway","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2025","cve_id":"36373","cve":"CVE-2025-36373","epss":"0.000340000","percentile":"0.096900000","score_date":"2026-04-07","updated_at":"2026-04-08 00:03:39"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2025-36373","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-04-02T15:48:55.294586Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-04-02T15:49:19.578Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"cpes":["cpe:2.3:a:ibm:datapower_gateway_106cd:10.6.1.0:*:*:*:*:*:*:*","cpe:2.3:a:ibm:datapower_gateway_106cd:10.6.5.0:*:*:*:*:*:*:*"],"product":"DataPower Gateway 10.6CD","vendor":"IBM","versions":[{"lessThanOrEqual":"10.6.5.0","status":"affected","version":"10.6.1.0","versionType":"semver"}]},{"cpes":["cpe:2.3:a:ibm:datapower_gateway_1050:10.5.0.0:*:*:*:*:*:*:*","cpe:2.3:a:ibm:datapower_gateway_1050:10.5.0.20:*:*:*:*:*:*:*"],"product":"DataPower Gateway 10.5.0","vendor":"IBM","versions":[{"lessThanOrEqual":"10.5.0.20","status":"affected","version":"10.5.0.0","versionType":"semver"}]},{"cpes":["cpe:2.3:a:ibm:datapower_gateway_1060:10.6.0.0:*:*:*:*:*:*:*","cpe:2.3:a:ibm:datapower_gateway_1060:10.6.0.8:*:*:*:*:*:*:*"],"product":"DataPower Gateway 10.6.0","vendor":"IBM","versions":[{"lessThanOrEqual":"10.6.0.8","status":"affected","version":"10.6.0.0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Acknowledgement This vulnerability was reported to IBM by Michał Bartoszuk & Maciej Włodarczyk @ STM Cyber."}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway could disclose sensitive system information from other domains to an administrative user.</p>"}],"value":"IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway could disclose sensitive system information from other domains to an administrative user."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.1,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"HIGH","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-497","description":"CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-01T20:49:32.409Z","orgId":"9a959283-ebb5-44b6-b705-dcc2bbced522","shortName":"ibm"},"references":[{"tags":["vendor-advisory","patch"],"url":"https://www.ibm.com/support/pages/node/7267833"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<div><table><tbody><tr><td>Affected Product(s)</td><td>Fixed in version</td><td>Fix list</td></tr><tr><td>IBM DataPower Gateway 10.6CD 10.6.1.0 - 10.6.5.0</td><td>10.6.6.0</td><td><a href=\"https://www.ibm.com/docs/en/datapower-gateway/10.6.x?topic=overview-release-notes#relnotes__install__title__1\" rel=\"nofollow\">Installation and Upgrade 10.6.x</a></td></tr><tr><td>IBM DataPower Gateway 10.5.0.0 - 10.5.0.20</td><td>10.5.0.21</td><td><a href=\"https://www.ibm.com/docs/en/datapower-gateway/10.5.0?topic=overview-release-notes#relnotes__install__title__1\" rel=\"nofollow\">Installation and Upgrade 10.5.0</a></td></tr><tr><td>IBM DataPower Gateway 10.6.0.0 - 10.6.0.8</td><td>10.6.0.9</td><td><a href=\"https://www.ibm.com/docs/en/datapower-gateway/10.6.0?topic=overview-release-notes#relnotes__install__title__1\" rel=\"nofollow\">Installation and Upgrade 10.6.0</a></td></tr></tbody></table></div><p><br></p>"}],"value":"Affected Product(s)Fixed in versionFix listIBM DataPower Gateway 10.6CD 10.6.1.0 - 10.6.5.010.6.6.0 Installation and Upgrade 10.6.x https://www.ibm.com/docs/en/datapower-gateway/10.6.x IBM DataPower Gateway 10.5.0.0 - 10.5.0.2010.5.0.21 Installation and Upgrade 10.5.0 https://www.ibm.com/docs/en/datapower-gateway/10.5.0 IBM DataPower Gateway 10.6.0.0 - 10.6.0.810.6.0.9 Installation and Upgrade 10.6.0 https://www.ibm.com/docs/en/datapower-gateway/10.6.0"}],"title":"Incorrect administrative access control in IBM DataPower Gateway","x_generator":{"engine":"ibm-cvegen"}}},"cveMetadata":{"assignerOrgId":"9a959283-ebb5-44b6-b705-dcc2bbced522","assignerShortName":"ibm","cveId":"CVE-2025-36373","datePublished":"2026-04-01T20:47:46.485Z","dateReserved":"2025-04-15T21:16:56.325Z","dateUpdated":"2026-04-02T15:49:19.578Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-01 21:16:57","lastModifiedDate":"2026-04-06 16:50:00","problem_types":["CWE-497","NVD-CWE-noinfo","CWE-497 CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere"],"metrics":{"cvssMetricV31":[{"source":"psirt@us.ibm.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N","baseScore":4.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":1.4},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N","baseScore":6.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":4}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:datapower_gateway:*:*:*:*:*:*:*:*","versionStartIncluding":"10.5.0.0","versionEndExcluding":"10.5.0.21","matchCriteriaId":"CE32BDC7-B268-4779-A283-F94DCF1433D3"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:datapower_gateway:*:*:*:*:*:*:*:*","versionStartIncluding":"10.6.0.0","versionEndExcluding":"10.6.0.9","matchCriteriaId":"9036053D-6E1A-4B2F-ACCA-5E3F4443F73E"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:datapower_gateway:*:*:*:*:continuous_delivery:*:*:*","versionStartIncluding":"10.6.1.0","versionEndExcluding":"10.6.6.0","matchCriteriaId":"E75118C5-5C01-404E-B857-56B9D6CA2119"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"36373","Ordinal":"1","Title":"Incorrect administrative access control in IBM DataPower Gateway","CVE":"CVE-2025-36373","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"36373","Ordinal":"1","NoteData":"IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway could disclose sensitive system information from other domains to an administrative user.","Type":"Description","Title":"Incorrect administrative access control in IBM DataPower Gateway"}]}}}