CVE-2025-36054 is a cross-site scripting (XSS) vulnerability classified under CWE-79 that affects IBM Business Automation Workflow containers versions 24.0.0 through 24.0.0-IF006, 24.0.1 through 24.0.1-IF004, 25.0.0 through 25.0.0-IF001, and traditional deployments with Process Federation Server versions 24.0.0 through 25.0.0. The vulnerability arises from improper neutralization of input during web page generation, allowing an unauthenticated attacker to inject arbitrary JavaScript code into the web user interface. This injected code can execute in the context of a legitimate user’s browser session, potentially altering the intended functionality of the application. The primary risk is the disclosure of credentials or other sensitive information within a trusted session, as the malicious script can capture session tokens, cookies, or user inputs. The vulnerability does not require authentication but does require user interaction, such as clicking a crafted link or visiting a malicious page. The CVSS v3.1 base score is 6.1, indicating medium severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), scope changed (S:C), and impacts on confidentiality and integrity (C:L/I:L) but no impact on availability (A:N). No public exploits have been reported yet, but the vulnerability’s presence in widely used IBM workflow automation products makes it a significant concern for enterprise environments that rely on these systems for critical business processes.

For European organizations, this vulnerability poses a risk to the confidentiality and integrity of sensitive business process data managed through IBM Business Automation Workflow. Successful exploitation could lead to credential theft, session hijacking, and unauthorized actions within the workflow environment, potentially disrupting business operations or exposing confidential information. Organizations in sectors such as finance, manufacturing, government, and critical infrastructure that utilize IBM Business Automation Workflow containers are particularly at risk. The vulnerability could be leveraged as an initial access vector or to escalate privileges within enterprise environments. Given the scope change in the CVSS vector, the impact extends beyond the vulnerable component, potentially affecting other integrated systems and services. The lack of authentication requirement lowers the barrier for attackers, increasing the likelihood of exploitation if mitigations are not applied promptly. Although no known exploits are currently in the wild, the medium severity rating and the critical nature of affected systems necessitate immediate attention to prevent potential attacks.

1. Apply official IBM patches or updates as soon as they become available for the affected Business Automation Workflow versions. 2. Implement strict input validation and output encoding on all user-supplied data within the workflow web interfaces to prevent script injection. 3. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the web UI. 4. Limit access to the IBM Business Automation Workflow web interfaces to trusted networks and authenticated users where possible, using network segmentation and access controls. 5. Monitor web application logs and user activity for signs of suspicious behavior indicative of XSS exploitation attempts. 6. Educate users about the risks of clicking on untrusted links or interacting with unknown content within the workflow environment. 7. Consider deploying web application firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting IBM workflow applications. 8. Regularly review and update security configurations and conduct penetration testing focused on web interface vulnerabilities.