CVE-2025-36138 is a stored cross-site scripting vulnerability classified under CWE-79, affecting IBM QRadar SIEM versions 7.5 through 7.5.0 Update Pack 13 Independent Fix 02, specifically identified in version 7.5.0. The vulnerability arises due to improper neutralization of user-supplied input during web page generation within the QRadar web interface. An authenticated user with low privileges can embed arbitrary JavaScript code into the web UI, which is then stored and executed in the context of other users' sessions. This can lead to unauthorized actions such as credential theft, session hijacking, or manipulation of the SIEM interface, compromising the confidentiality and integrity of the system. The attack vector is network-based (remote), with low attack complexity and requiring privileges but no user interaction, and the scope is changed because the vulnerability affects other components or users beyond the attacker. The CVSS v3.1 base score is 6.4 (medium severity), reflecting the moderate impact on confidentiality and integrity but no impact on availability. No public exploits have been reported yet, but the vulnerability poses a significant risk given the critical role of QRadar SIEM in security monitoring and incident response. The lack of available patches at the time of publication necessitates immediate mitigation efforts by affected organizations.

For European organizations, this vulnerability poses a risk to the confidentiality and integrity of security event data and user credentials within IBM QRadar SIEM environments. Since QRadar is widely used by enterprises and critical infrastructure operators for security monitoring, exploitation could allow attackers to escalate privileges, manipulate security alerts, or exfiltrate sensitive information. This could undermine incident detection and response capabilities, potentially allowing further undetected compromise. The stored XSS nature means that once malicious code is injected, it can affect multiple users accessing the compromised interface, increasing the attack's reach. Given the medium severity and the criticality of SIEM systems, the impact on European organizations could be significant, especially in sectors like finance, energy, telecommunications, and government, where QRadar is commonly deployed.

1. Restrict QRadar web UI access to trusted and minimal user groups, enforcing the principle of least privilege to limit who can inject malicious scripts. 2. Implement strict input validation and sanitization on all user inputs within the QRadar interface, if possible via configuration or custom rules. 3. Monitor web UI logs and user activity for unusual behavior indicative of XSS exploitation attempts. 4. Employ web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting QRadar interfaces. 5. Isolate QRadar management interfaces from general network access, using VPNs or jump hosts to reduce exposure. 6. Stay updated with IBM security advisories and apply patches or fixes as soon as they become available. 7. Educate users with access to QRadar about the risks of XSS and encourage reporting of suspicious UI behavior. 8. Consider deploying Content Security Policy (CSP) headers if configurable to reduce the impact of injected scripts.