CVE-2025-36170 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79 affecting IBM QRadar SIEM versions 7.5.0 through 7.5.0 Update Pack 13 Independent Fix 02. The flaw arises from improper neutralization of input during web page generation, allowing an authenticated user to embed arbitrary JavaScript code within the QRadar web user interface. This malicious script can execute in the context of other users' browsers who access the compromised interface, potentially altering the intended functionality of the SIEM platform. The exploitation requires the attacker to have authenticated access, but no additional user interaction is needed once the malicious script is stored. The vulnerability can lead to the disclosure of sensitive information such as session credentials, enabling further unauthorized actions within the trusted session. The CVSS v3.1 base score is 6.4, reflecting medium severity, with metrics indicating network attack vector, low attack complexity, privileges required, no user interaction, and a scope change due to impact on other components. While no public exploits are currently known, the vulnerability poses a significant risk given QRadar’s role in security monitoring and incident response. The lack of available patches at the time of publication necessitates immediate mitigation efforts by affected organizations.

For European organizations, this vulnerability poses a risk to the confidentiality and integrity of security monitoring data and credentials within IBM QRadar SIEM environments. Successful exploitation could allow attackers to hijack sessions, manipulate SIEM data, or gain unauthorized access to sensitive security information, undermining incident detection and response capabilities. This could lead to delayed or ineffective threat mitigation, increasing exposure to further attacks. Given QRadar’s widespread use in critical infrastructure, financial institutions, and government agencies across Europe, the impact could be substantial, potentially affecting national security and economic stability. The vulnerability does not affect availability directly but compromises trust in the security monitoring platform, which is critical for maintaining robust cybersecurity posture.

Organizations should immediately verify their IBM QRadar SIEM version and apply any available patches or updates from IBM once released. In the absence of patches, restrict authenticated user access to the QRadar web interface to only trusted personnel and enforce the principle of least privilege. Implement strict input validation and sanitization on all user-supplied data within the SIEM interface to prevent script injection. Monitor logs for unusual activity indicative of exploitation attempts. Consider deploying web application firewalls (WAFs) with custom rules to detect and block XSS payloads targeting QRadar. Conduct regular security awareness training for administrators to recognize and report suspicious behavior. Additionally, segment the SIEM environment from less trusted networks to reduce the attack surface. Finally, prepare incident response plans specifically addressing potential compromise scenarios involving SIEM manipulation.