Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-36072

CVE-2025-36072: IBM webMethods Integration RCE Vulnerability

CVE-2025-36072 is a remote code execution vulnerability in IBM webMethods Integration caused by unsafe deserialization. Authenticated users can execute arbitrary code. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2025-36072 Overview

CVE-2025-36072 is an insecure deserialization vulnerability in IBM webMethods Integration. The flaw allows an authenticated user to execute arbitrary code on the underlying system by submitting crafted serialized object graphs. IBM tracks the issue under [CWE-502: Deserialization of Untrusted Data].

Affected versions include 10.11 through 10.11_Core_Fix22, 10.15 through 10.15_Core_Fix22, and 11.1 through 11.1_Core_Fix6. Because webMethods Integration commonly brokers data between enterprise applications, successful exploitation can give attackers a foothold inside business-critical integration pipelines.

Critical Impact

An authenticated attacker can achieve arbitrary code execution on the integration server, compromising confidentiality, integrity, and availability of integrated systems.

Affected Products

  • IBM webMethods Integration 10.11 through 10.11_Core_Fix22
  • IBM webMethods Integration 10.15 through 10.15_Core_Fix22
  • IBM webMethods Integration 11.1 through 11.1_Core_Fix6

Discovery Timeline

  • 2025-11-20 - CVE-2025-36072 published to NVD
  • 2025-12-15 - Last updated in NVD database

Technical Details for CVE-2025-36072

Vulnerability Analysis

The vulnerability resides in how IBM webMethods Integration processes serialized object graphs received from authenticated users. The product reconstructs Java objects without sufficient validation of class types or object content. This allows an attacker to craft a malicious serialized payload that triggers code execution during the deserialization process.

Exploitation requires valid credentials but no user interaction. The attack is network-reachable, which means any authenticated principal with access to the affected endpoint can attempt exploitation. Because webMethods Integration typically runs with elevated privileges to access backend systems and message brokers, code executed through this flaw inherits broad access to downstream resources.

Root Cause

The root cause is unsafe Java deserialization of untrusted object graphs. The product invokes deserialization routines on attacker-controlled input without applying a strict allow-list of permitted classes. Gadget chains present in the application classpath can be invoked during object reconstruction, leading to arbitrary code execution under the service account.

Attack Vector

An authenticated attacker submits a crafted serialized payload to an exposed webMethods Integration endpoint. The server deserializes the payload, instantiates malicious gadget chains, and executes attacker-supplied commands. No social engineering or victim interaction is required, and the attack complexity is low. See the IBM Security Advisory for vendor-confirmed technical details.

Detection Methods for CVE-2025-36072

Indicators of Compromise

  • Unexpected child processes spawned by the webMethods Integration Server JVM, such as cmd.exe, powershell.exe, bash, or sh.
  • Outbound network connections from the Integration Server to unrecognized hosts following authenticated API requests.
  • New or modified files in webMethods package directories not associated with deployment activity.
  • Authentication events from service or low-privilege accounts followed by anomalous administrative actions.

Detection Strategies

  • Monitor JVM process trees for the Integration Server and alert on any non-Java child processes.
  • Inspect application logs for deserialization stack traces referencing classes like InvokerTransformer, TemplatesImpl, or other known gadget chain components.
  • Correlate authenticated API calls to webMethods endpoints with subsequent process creation or outbound network activity.

Monitoring Recommendations

  • Forward webMethods Integration Server logs and host telemetry to a centralized analytics platform such as Singularity Data Lake for correlation across identity, endpoint, and network events.
  • Use behavioral identification on the Integration Server host through an EDR capability such as Singularity Endpoint to flag suspicious process lineage from the JVM.
  • Track authentication anomalies on accounts permitted to call integration APIs and review for unusual source IPs or off-hours activity.

How to Mitigate CVE-2025-36072

Immediate Actions Required

  • Apply the IBM-supplied fix packs referenced in the vendor advisory to all affected 10.11, 10.15, and 11.1 deployments.
  • Restrict network access to the webMethods Integration Server administrative and API endpoints to trusted management networks only.
  • Audit user accounts authorized to invoke webMethods services and remove any unused or excessive privileges.
  • Rotate credentials for service accounts that interact with the Integration Server following patch deployment.

Patch Information

IBM has published remediation guidance in the IBM Security Advisory. Administrators should upgrade to a fixed Core Fix beyond 10.11_Core_Fix22, 10.15_Core_Fix22, and 11.1_Core_Fix6 as specified by IBM.

Workarounds

  • Place the Integration Server behind a reverse proxy or web application firewall that inspects and blocks Java serialized payload signatures such as rO0AB (Base64) or the 0xAC 0xED magic bytes.
  • Enforce strict authentication policies and multi-factor authentication for all accounts able to reach the Integration Server.
  • Segment the Integration Server from general user networks until patching is complete.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne