CVE-2025-36397 is an HTML injection vulnerability classified under CWE-80, affecting IBM Application Gateway versions 23.10 through 25.09. This vulnerability arises from improper neutralization of script-related HTML tags, allowing an authenticated remote attacker to inject malicious HTML code into web pages served by the gateway. When a victim views the compromised page, the injected code executes within the security context of the hosting site, potentially enabling theft of sensitive information, session hijacking, or manipulation of displayed content. The vulnerability requires the attacker to have some level of privileges (PR:L) and user interaction (UI:R) to be exploited, which limits its ease of exploitation. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. The CVSS 3.1 base score is 5.4, indicating medium severity. No public exploit code or active exploitation has been reported to date. The lack of a patch link suggests that remediation may require vendor updates or configuration changes. This vulnerability is particularly relevant for organizations relying on IBM Application Gateway for secure web traffic management, as it could undermine trust in web applications and expose users to client-side attacks.

For European organizations, this vulnerability poses a risk to confidentiality and integrity of data processed through IBM Application Gateway, especially in sectors where sensitive data is handled such as finance, healthcare, and government. Successful exploitation could lead to session hijacking, credential theft, or unauthorized actions performed on behalf of legitimate users. While availability impact is negligible, the reputational damage and potential regulatory consequences under GDPR for data breaches could be significant. Organizations using affected versions may face increased risk of targeted attacks exploiting this vulnerability to gain footholds or escalate privileges within their networks. The requirement for authentication and user interaction reduces the likelihood of widespread automated exploitation but does not eliminate risk from insider threats or phishing campaigns. Given IBM Application Gateway's role in managing web traffic and security policies, this vulnerability could also be leveraged to bypass security controls or inject malicious content into trusted web portals.

European organizations should immediately verify if they are running IBM Application Gateway versions 23.10 through 25.09 and plan to upgrade to a patched version once available. In the interim, implement strict input validation and output encoding on all user-supplied data to prevent injection of malicious HTML or scripts. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. Limit user privileges to the minimum necessary to reduce the attack surface. Monitor web traffic and logs for unusual activity indicative of attempted HTML injection or XSS attacks. Educate users about the risks of interacting with suspicious links or content, especially in authenticated sessions. Consider deploying web application firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting IBM Application Gateway. Coordinate with IBM support to obtain official patches or workarounds and stay informed about any emerging exploit reports.