IBM webMethods Integration Server 10.5, 10.7, 10.11, and 10.15

is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to execute arbitrary commands.
Fixes

Solution

IBM strongly recommends addressing the vulnerability now by applying the mentioned core fixes or later core fixes for the affected versions and following the respective fix readme document. IS_10.5_Core_Fix29 or later IS_10.7_Core_Fix23 or later IS_10.11_Core_Fix11 or later IS_10.15_Core_Fix14 or later Fixes can be downloaded and installed via IBM webMethods Update Manager. Refer to How to Download webMethods Software


Workaround

No workaround given by the vendor.

History

Wed, 13 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Ibm
Ibm webmethods Integration
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Novell
Novell suse Linux
Redhat
Redhat linux
CPEs cpe:2.3:a:ibm:webmethods_integration:10.11:*:*:*:*:*:*:*
cpe:2.3:a:ibm:webmethods_integration:10.15:*:*:*:*:*:*:*
cpe:2.3:a:ibm:webmethods_integration:10.5:*:*:*:*:*:*:*
cpe:2.3:a:ibm:webmethods_integration:10.7:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
cpe:2.3:o:novell:suse_linux:-:*:*:*:*:*:*:*
cpe:2.3:o:redhat:linux:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Ibm
Ibm webmethods Integration
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Novell
Novell suse Linux
Redhat
Redhat linux

Wed, 18 Jun 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 18 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Description IBM webMethods Integration Server 10.5, 10.7, 10.11, and 10.15 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to execute arbitrary commands.
Title IBM webMethods Integration Sever XML external entity injection
First Time appeared Softwareag
Softwareag webmethods
Weaknesses CWE-611
CPEs cpe:2.3:a:softwareag:webmethods:10.11:*:*:*:*:*:*:*
cpe:2.3:a:softwareag:webmethods:10.15:*:*:*:*:*:*:*
cpe:2.3:a:softwareag:webmethods:10.5:*:*:*:*:*:*:*
cpe:2.3:a:softwareag:webmethods:10.7:*:*:*:*:*:*:*
Vendors & Products Softwareag
Softwareag webmethods
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2025-08-24T11:50:08.864Z

Reserved: 2025-04-15T21:16:10.569Z

Link: CVE-2025-36049

cve-icon Vulnrichment

Updated: 2025-06-18T17:48:01.506Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-18T16:15:27.233

Modified: 2025-08-13T14:08:53.837

Link: CVE-2025-36049

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.