What security vulnerabilities did IBM report in QRadar SIEM?

IBM reported multiple security vulnerabilities affecting its QRadar SIEM platform, including CVE-2025-33117 (CVSS 9.1) for External Control of File Name or Path, CVE-2025-33121 (CVSS 7.1) for XML External Entity injection, and CVE-2025-36050 (CVSS 6.2) for inappropriate storage of sensitive information in log files.

What is IBM QRadar SIEM?

IBM QRadar SIEM is a security information and event management platform used by organizations to collect, analyze, and correlate security events across their networks to detect threats and security incidents. It's a critical security infrastructure component used for monitoring and threat detection.

What is CVE-2025-33117?

CVE-2025-33117 (CVSS score 9.1) is an External Control of File Name or Path vulnerability that allows privileged users to modify configuration files and upload malicious autoupdate files that can execute arbitrary commands on affected QRadar SIEM systems. If exploited, this flaw could provide attackers with a foothold to compromise the network or steal sensitive data.

What is CVE-2025-33121?

CVE-2025-33121 (CVSS score 7.1) is an XML External Entity (XXE) injection vulnerability that occurs when the QRadar SIEM processes XML data. It allows authenticated users to expose sensitive information or exhaust memory resources through maliciously crafted XML data.

What is CVE-2025-36050?

CVE-2025-36050 (CVSS score 6.2) is a vulnerability involving the inappropriate storage of sensitive information in log files that can be accessed by local users. This could lead to unauthorized disclosure of sensitive data to users with local system access.

Which versions of IBM QRadar SIEM are affected?

The vulnerabilities affect IBM QRadar SIEM versions 7.5 through 7.5.0 UP12 IF01. Organizations running these versions should prioritize updating to the patched version immediately.

What is the fixed version for these QRadar vulnerabilities?

IBM has addressed these security issues in QRadar SIEM version 7.5.0 UP12 IF02. The company strongly encourages customers to update their systems promptly to prevent potential exploitation.

What can attackers do if they exploit CVE-2025-33117?

Attackers exploiting CVE-2025-33117 can execute arbitrary commands on affected QRadar SIEM systems, potentially providing them with a foothold to compromise the network or steal sensitive data. This could lead to complete system compromise and lateral movement within the organization's infrastructure.

How can CVE-2025-33121 be exploited?

CVE-2025-33121 can be exploited by authenticated users who submit maliciously crafted XML data to the QRadar SIEM system. This can result in exposure of sensitive information or exhaustion of memory resources, potentially causing denial of service conditions.

Are there any workarounds for these QRadar vulnerabilities?

IBM has not provided any workarounds or mitigations for these vulnerabilities. The only recommended solution is to update to the patched version 7.5.0 UP12 IF02 immediately.

Why are these QRadar vulnerabilities particularly concerning?

These vulnerabilities are particularly concerning because QRadar SIEM is a critical security infrastructure component used for monitoring and threat detection. Compromise of a SIEM system could blind organizations to security threats, allow attackers to hide their activities, and potentially provide access to sensitive security intelligence and network monitoring data.

What should QRadar administrators do immediately?

QRadar administrators should immediately plan and execute an upgrade to version 7.5.0 UP12 IF02, verify that all QRadar instances in their environment are updated, monitor systems for any signs of compromise, and review access logs for any suspicious activity that might indicate exploitation attempts, especially given the critical nature of CVE-2025-33117.

Advisory

IBM reports multiple flaws in QRadar SIEM, at least one critical

published: June 21, 2025

Take action: If you're running IBM QRadar SIEM, plan an update to version 7.5.0 UP12 IF02. There is at least one critical patch to fix, but it's not a panic mode since it does require authentication and privileges within the system to be exploited. Just don't ignore the patch, someone will eventually abuse the flaws.

Learn More

IBM is reporting multiple security vulnerabilities affecting its QRadar SIEM platform.

Vulnerabilities summary

CVE-2025-33117 (CVSS score 9.1), External Control of File Name or Path, allows privileged users to modify configuration files and upload malicious autoupdate files that can execute arbitrary commands on affected QRadar SIEM systems. If exploited, this flaw could provide attackers with a foothold to compromise the network or steal sensitive data.
CVE-2025-33121 (CVSS score 7.1) - An XML External Entity (XXE) injection vulnerability that occurs when the QRadar SIEM processes XML data. It allows authenticated users to expose sensitive information or exhaust memory resources through maliciously crafted XML data.
CVE-2025-36050 (CVSS score 6.2) - A vulnerability involving the inappropriate storage of sensitive information in log files that can be accessed by local users.

The vulnerabilities affect IBM QRadar SIEM versions 7.5 through 7.5.0 UP12 IF01.

IBM has addressed these security issues in QRadar SIEM version 7.5.0 UP12 IF02. The the company strongly encourages customers to update their systems promptly to prevent potential exploitation.

IBM has not provided any workarounds or mitigations for these vulnerabilities.

IBM reports multiple flaws in QRadar SIEM, at least one critical

Read More
Critical Remote Code Execution vulnerability reported in Imunify360 …
Intel patch release fixes over 100 issues including …
BeyondTrust reports vulnerability enabling pre-authentication remote code execution
CISA reports active explotation of WatchGuard Firebox vulnerability
Meta and researchers in dispute about severity of …