CVE-2025-36376 identifies a session management vulnerability in IBM Security QRadar EDR versions 3.12 through 3.12.23. The core issue is insufficient session expiration controls (CWE-613), where the system fails to invalidate user sessions properly after their expiration time. This flaw enables an authenticated user to reuse an expired session token to impersonate another user, potentially gaining unauthorized access or privileges. The vulnerability affects the confidentiality, integrity, and availability of the QRadar EDR system by allowing session hijacking or unauthorized actions under another user's identity. The CVSS v3.1 score of 6.3 reflects a medium severity, with network attack vector, low attack complexity, and requiring privileges but no user interaction. No public exploits are currently known, but the risk remains significant due to the critical role QRadar EDR plays in security monitoring and incident response. The vulnerability could facilitate lateral movement within networks or unauthorized access to sensitive security data. IBM has not yet published patches, so organizations must rely on compensating controls until updates are available.

For European organizations, this vulnerability poses a risk to the security and trustworthiness of their endpoint detection and response infrastructure. Successful exploitation could allow malicious insiders or compromised accounts to impersonate other users, potentially escalating privileges or accessing sensitive security telemetry and configurations. This could undermine incident detection, delay response efforts, or facilitate further attacks such as data exfiltration or ransomware deployment. Critical sectors like finance, energy, telecommunications, and government agencies that rely heavily on IBM QRadar EDR for threat detection are particularly vulnerable. The medium severity indicates a moderate but tangible risk that could impact confidentiality, integrity, and availability of security operations. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially in targeted attacks.

1. Implement strict session management policies, including reducing session timeout durations and enforcing immediate session invalidation upon logout or expiration. 2. Monitor and log session activities to detect anomalous reuse of expired session tokens or unusual user impersonation patterns. 3. Restrict access to QRadar EDR consoles to trusted networks and enforce multi-factor authentication (MFA) to reduce the risk of compromised credentials. 4. Apply network segmentation to isolate QRadar EDR components from general user networks, limiting lateral movement opportunities. 5. Regularly review and audit user privileges to minimize the number of accounts with elevated access. 6. Stay informed on IBM’s security advisories and apply patches promptly once released. 7. Consider deploying web application firewalls (WAFs) or session management proxies that can enforce session expiration policies externally as a temporary control.