CVE-2025-36072: Object Graph Chaos: Inside CVE-2025-36072 - CVE Security Report

CVE-2025-36072.md

CVE-2025-36072: Object Graph Chaos: Inside CVE-2025-36072

CVSS Score: 8.8 Published: 2025-11-20 Full Report: https://cvereports.com/reports/CVE-2025-36072

Summary

An authenticated Remote Code Execution (RCE) vulnerability in IBM webMethods Integration caused by unsafe deserialization of object graphs.

TL;DR

IBM webMethods Integration trusts user-supplied Java objects too much. Authenticated users can feed the server a malicious 'graph' object which, upon deserialization, executes arbitrary system commands. Patch immediately.

Technical Details

• CWE: CWE-502 (Deserialization of Untrusted Data)
• CVSS: 8.8 (High)
• Attack Vector: Network (Authenticated)
• Impact: Remote Code Execution (RCE)
• Platform: Java
• Exploit Status: No Public PoC (Yet)

Affected Systems

• IBM webMethods Integration 10.11
• IBM webMethods Integration 10.15
• IBM webMethods Integration 11.1
• webMethods Integration: 10.11 to 10.11_Core_Fix22 (Fixed in: 10.11_Core_Fix23)
• webMethods Integration: 10.15 to 10.15_Core_Fix22 (Fixed in: 10.15_Core_Fix23)
• webMethods Integration: 11.1 to 11.1_Core_Fix6 (Fixed in: 11.1_Core_Fix7)

Mitigation

• Apply vendor patches immediately via Update Manager.
• Restrict network access to the Integration Server (Port 5555/5543).
• Monitor logs for InvalidClassException which indicates failed deserialization attempts.

Remediation Steps:

1. Identify the current webMethods Integration Server version.
2. Download the appropriate Core Fix (e.g., Fix23 for 10.15) from IBM Support.
3. Stop the Integration Server.
4. Use the IBM webMethods Update Manager to apply the patch.
5. Restart the server and verify functionality.

References

• ZeroPath Analysis
• NVD CVE-2025-36072

---

Generated by CVEReports - Automated Vulnerability Intelligence