CVE-2025-36375 PUBLISHED

IBM DataPower Gateway vulnerable to CSRF

Assigner: ibm
Reserved: 15.04.2025 Published: 01.04.2026 Updated: 01.04.2026

IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CVSS Score: 6.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	High
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	IBM
Product	DataPower Gateway 10.6CD
Versions	affected from 10.6.1.0 to 10.6.5.0 (incl.)

Vendor	IBM
Product	DataPower Gateway 10.5.0
Versions	affected from 10.5.0.0 to 10.5.0.20 (incl.)

Vendor	IBM
Product	DataPower Gateway 10.6.0
Versions	affected from 10.6.0.0 to 10.6.0.8 (incl.)

Solutions

Affected Product(s)Fixed in VersionFix linkIBM DataPower Gateway 10.6CD 10.6.1.0 - 10.6.5.010.6.6.0 Installation and Upgrade 10.6.x https://www.ibm.com/docs/en/datapower-gateway/10.6.x IBM DataPower Gateway 10.6.0 10.6.0.0 - 10.6.0.810.6.0.9 Installation and Upgrade 10.6.0 https://www.ibm.com/docs/en/datapower-gateway/10.6.0 IBM DataPower Gateway 10.5.0 10.5.0.0 - 10.5.0.2010.5.0.21 Installation and Upgrade 10.5.0 https://www.ibm.com/docs/en/datapower-gateway/10.5.0

IBM strongly recommends upgrading to a fixed version

Credits

Acknowledgement This vulnerability was reported to IBM by Maciej Włodarczyk & Michał Bartoszuk @ STM Cyber. finder

References

https://www.ibm.com/support/pages/node/7268034

Problem Types

CWE-352 Cross-Site Request Forgery (CSRF) CWE