CVE-2025-33097 is a stored cross-site scripting (XSS) vulnerability identified in IBM QRadar SIEM versions 7.5 through 7.5.0 UP12 IF02. This vulnerability arises from insufficient input sanitization in the web user interface, allowing authenticated users to inject arbitrary JavaScript code that is persistently stored and executed within the context of the application. Because the vulnerability is stored XSS, the malicious script can be triggered whenever a legitimate user accesses the affected UI component, potentially altering the intended functionality of the SIEM platform. The exploitation does not require user interaction beyond accessing the compromised interface, and it can lead to sensitive information disclosure, including credentials, within a trusted session. The CVSS v3.1 base score is 6.4 (medium severity), reflecting that the attack vector is network-based, requires low complexity, and privileges of an authenticated user, but does not require user interaction. The scope is changed, indicating that the vulnerability can affect components beyond the initially vulnerable module. The impact primarily affects confidentiality and integrity, with no direct impact on availability. No known exploits are currently reported in the wild, and no official patches or mitigation links have been published yet. The vulnerability is classified under CWE-79, which is a common and well-understood web application security weakness related to improper neutralization of input leading to XSS.

For European organizations using IBM QRadar SIEM 7.5.x, this vulnerability poses a significant risk to the confidentiality and integrity of security monitoring data. QRadar SIEM is a critical security infrastructure component that aggregates and analyzes security events; compromise of its web interface could allow attackers to manipulate displayed data, inject misleading alerts, or steal session credentials. This could lead to unauthorized access to sensitive security information, undermining incident detection and response capabilities. Given the trusted nature of the SIEM environment, attackers exploiting this vulnerability could escalate privileges or move laterally within the network. The impact is particularly concerning for sectors with stringent data protection requirements under GDPR, such as finance, healthcare, and critical infrastructure, where exposure of credentials or manipulation of security logs could result in regulatory penalties and operational disruptions.

Organizations should implement the following specific mitigations: 1) Restrict QRadar SIEM web UI access strictly to trusted and segmented network zones, minimizing exposure to untrusted users. 2) Enforce the principle of least privilege by limiting user roles and permissions within QRadar to reduce the number of authenticated users capable of injecting malicious scripts. 3) Monitor and audit user-generated content and configuration changes within the SIEM for suspicious or anomalous entries that could indicate attempted exploitation. 4) Employ web application firewalls (WAFs) with custom rules to detect and block common XSS payloads targeting QRadar interfaces. 5) Regularly update and patch QRadar as IBM releases fixes; until then, consider temporary workarounds such as disabling or restricting vulnerable UI components if feasible. 6) Educate administrators and users about the risks of stored XSS and encourage vigilance when interacting with the SIEM interface. 7) Implement multi-factor authentication (MFA) to reduce the risk of credential compromise impact.