CVE-2025-36134 identifies a vulnerability in IBM Sterling B2B Integrator and IBM Sterling File Gateway versions 6.0.0.0 through 6.1.2.7, 6.2.0.0 through 6.2.0.5, and 6.2.1.1. The root cause is the absence or insecure configuration of the SameSite attribute on sensitive cookies used by these applications. The SameSite cookie attribute is a security control that restricts how cookies are sent with cross-site requests, helping to prevent cross-site request forgery (CSRF) and cross-site information leakage. Without a proper SameSite attribute, cookies may be sent in cross-site contexts, potentially exposing sensitive session or authentication information to malicious websites or attackers conducting cross-site attacks. The vulnerability is categorized under CWE-1275, which relates to insecure cookie handling. The CVSS v3.1 base score is 3.7, reflecting a low severity due to the vulnerability's limited impact on confidentiality, no impact on integrity or availability, and the requirement of a high attack complexity with no privileges or user interaction needed. No public exploits have been reported, and no patches are currently linked, indicating that remediation may rely on configuration changes or forthcoming vendor updates. This vulnerability primarily affects the confidentiality of sensitive information handled by IBM Sterling B2B Integrator and File Gateway, which are widely used for secure B2B file transfers and integrations.

For European organizations, this vulnerability could lead to the unintended disclosure of sensitive session or authentication information through cookies in cross-site scenarios. This may enable attackers to hijack sessions or gain unauthorized access to B2B integration platforms, potentially disrupting business communications or exposing confidential data exchanged with partners. While the direct impact is limited due to the low severity and lack of known exploits, organizations relying heavily on IBM Sterling products for critical supply chain or financial transactions could face increased risks if attackers leverage this weakness in conjunction with other vulnerabilities or social engineering. The confidentiality breach could undermine trust with business partners and lead to regulatory compliance issues under GDPR if personal or sensitive data is exposed. However, the absence of integrity or availability impact reduces the likelihood of direct operational disruptions or data manipulation.

Organizations should immediately review and update the cookie configurations in IBM Sterling B2B Integrator and File Gateway to ensure that the SameSite attribute is set to 'Strict' or at least 'Lax' for all sensitive cookies. This change limits cookie transmission in cross-site requests and mitigates the risk of information leakage. Monitoring and logging of unusual cross-site requests should be enhanced to detect potential exploitation attempts. Since no patches are currently linked, organizations should stay alert for vendor advisories and apply any forthcoming updates promptly. Additionally, implementing web application firewalls (WAFs) with rules to detect and block suspicious cross-site traffic can provide an additional layer of defense. Regular security assessments and penetration testing focused on session management and cookie security will help identify residual risks. Finally, educating developers and administrators about secure cookie handling best practices is critical to prevent similar issues.