CVE-2025-36377 identifies a session management vulnerability in IBM Security QRadar EDR versions 3.12 through 3.12.23. The core issue is insufficient session expiration controls (CWE-613), where the system fails to invalidate user sessions properly after their expiration time elapses. This flaw allows an authenticated user to reuse or hijack an expired session token, effectively impersonating another user on the system. Since QRadar EDR is a critical security product used for endpoint detection and response, unauthorized access through session impersonation can lead to unauthorized data access, manipulation of security alerts, or disruption of incident response workflows. The CVSS v3.1 score of 6.3 reflects a medium severity, with attack vector being network-based, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality, integrity, and availability to a limited extent. No public exploits are currently known, but the vulnerability's nature suggests that an insider or an attacker with some level of access could leverage this flaw to escalate privileges or bypass access controls. The lack of session invalidation after expiration indicates a design or implementation flaw in session management, which is critical for maintaining secure authentication states in web-based or API-driven management consoles.

For European organizations, this vulnerability could undermine the security of IBM QRadar EDR deployments, which are widely used for monitoring and responding to cyber threats. Successful exploitation could allow malicious insiders or attackers who have gained initial access to impersonate other users, potentially including administrators, leading to unauthorized access to sensitive security data, manipulation or suppression of alerts, and interference with incident response processes. This could degrade the overall security posture and delay detection or mitigation of attacks. Critical sectors such as finance, energy, telecommunications, and government agencies in Europe that rely on QRadar EDR for endpoint security monitoring are particularly at risk. The impact extends to confidentiality (exposure of sensitive security telemetry), integrity (tampering with detection data), and availability (disruption of security operations). Although exploitation requires some level of authenticated access, the ease of session reuse without re-authentication increases risk, especially in environments with shared or poorly managed credentials.

Organizations should immediately review and tighten session management policies for IBM QRadar EDR, including reducing session timeout durations and enforcing strict session invalidation upon expiration or logout. Monitoring and logging should be enhanced to detect anomalous session reuse or concurrent sessions from the same user account. Network segmentation and access controls should limit who can authenticate to QRadar EDR consoles. Until IBM releases a patch or updated version addressing this vulnerability, consider implementing compensating controls such as multi-factor authentication (MFA) to reduce the risk of session hijacking. Regularly audit user sessions and revoke stale or suspicious sessions manually if possible. Additionally, organizations should plan to upgrade to a fixed version once available and stay informed via IBM security advisories. Security teams should also conduct internal penetration testing focused on session management weaknesses to identify potential exploitation paths.