IBM Patches Critical Remote Code Execution Flaws in QRadar SIEM
Take action: If you are using IBM QRadar 7.5.0 branch, review its exposure to untrusted networks, then plan a patch cycle. It's not urgent especially if your SIEM is properly isolated, but should not be ignored.
Learn More
IBM released a security update for QRadar SIEM version 7.5.0 to address 11 vulnerabilities within its core components. These flaws reside in integrated libraries and modules including net-snmp, glib, OpenSSL, and the Linux kernel.
Vulnerabilities summary:
- CVE-2025-68615 (CVSS score 9.8) - A buffer overflow in the net-snmp snmptrapd daemon caused by improper restriction of operations within memory buffer bounds. Attackers can send a specially crafted packet to the daemon to trigger the overflow, leading to a service crash or remote code execution. This allows unauthenticated remote attackers to compromise the SIEM's availability and system integrity.
- CVE-2025-13601 (CVSS score 7.7) - A heap-based buffer overflow in glib's g_escape_uri_string() function resulting from an integer overflow during buffer size calculation. When processing strings with many characters requiring escaping, the function writes past the allocated memory. This can lead to memory corruption and unauthorized system access.
- CVE-2025-9230 (CVSS score 7.5) - An out-of-bounds read and write vulnerability in OpenSSL when decrypting CMS messages using password-based encryption. Attackers can trigger memory corruption by providing malicious CMS messages, leading to a denial-of-service or execution of attacker-supplied code.
- CVE-2023-53673 (CVSS score 7.8) - A use-after-free vulnerability in the Linux kernel's Bluetooth stack occurring when a connection is deleted before the disconnect callback completes. Attackers can exploit this race condition to access freed memory, resulting in a kernel panic or privilege escalation.
- CVE-2025-40277 (CVSS score 7.8) - An out-of-bounds access vulnerability in the Linux kernel's drm/vmwgfx driver caused by failing to validate command header sizes from userspace. Attackers can use this flaw to overflow buffer offset calculations, allowing them to read or write to protected memory regions.
The vulnerabilities affects IBM QRadar SIEM version 7.5.0, including all iterations from 7.5.0 up to 7.5.0 UP14 IF04. IBM confirmed that only the 7.5.0 branch is vulnerable to this specific set of component flaws.
IBM released QRadar SIEM 7.5.0 UP14 IF05 to patch these issues by updating the underlying vulnerable libraries and kernel modules. Administrators should apply this patch ASAP.
