BURSTMultiple high-severity vulnerabilities in IBM QRadar SIEM could allow attackers to execute arbitrary commands and access sensitive data.
The most critical flaw, tracked as CVE-2025-33117, carries a CVSS score of 9.1 and enables privileged users to upload malicious files that can execute arbitrary commands on affected systems.
Organizations running IBM QRadar SIEM versions 7.5 through 7.5.0 UP12 IF01 are urged to immediately update to the latest patch to prevent potential security breaches.
Critical QRadar File Path Vulnerability (CVE-2025-33117)
The most severe vulnerability, CVE-2025-33117, poses an immediate threat to enterprise security infrastructures.
This flaw is classified under CWE-73: External Control of File Name or Path and allows privileged users to modify configuration files, enabling the upload of malicious autoupdate files.
The vulnerability’s CVSS vector (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) indicates network-based exploitation with low attack complexity, requiring high privileges but no user interaction.
Security researchers have demonstrated that attackers with elevated access can leverage this vulnerability to gain complete system control, potentially compromising entire SIEM deployments.
The scope change (S:C) in the CVSS vector indicates that successful exploitation can impact resources beyond the vulnerable component, making this particularly dangerous in enterprise environments where QRadar manages critical security data.
Additional Security Flaws Discovered
CVE-2025-33121 represents an XML External Entity (XXE) injection vulnerability with a CVSS score of 7.1, classified under CWE-611: Improper Restriction of XML External Entity Reference.
This remote attack vector allows authenticated users to expose sensitive information or exhaust memory resources through maliciously crafted XML data.
The third vulnerability, CVE-2025-36050, involves the inappropriate storage of sensitive information in log files accessible to local users.
With a CVSS score of 6.2 and classification under CWE-532: Insertion of Sensitive Information into Log File, this vulnerability could expose confidential data to unauthorized local users.
The CVSS vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) indicates local access requirements, but no authentication is needed.
The vulnerabilities were discovered by IBM’s Security Ethical Hacking Team, including researchers John Zuccato, Rodney Ryan, Chris Shepherd, Vince Dragnea, Ben Goodspeed, and Dawid Bak.
| CVEs | Affected Products | Impact | Exploit Prerequisites | CVSS 3.1 Score |
| CVE-2025-33117 | IBM QRadar SIEM 7.5 – 7.5.0 UP12 IF01 | Arbitrary command execution | Privileged user access (admin-level) | 9.1 (Critical) |
| CVE-2025-33121 | IBM QRadar SIEM 7.5 – 7.5.0 UP12 IF01 | Sensitive data exposure | Authenticated user access | 7.1 (High) |
| CVE-2025-36050 | IBM QRadar SIEM 7.5 – 7.5.0 UP12 IF01 | Unauthorized access to sensitive information | Local system access (no authentication) | 6.2 (Medium) |
IBM has released QRadar 7.5.0 UP12 IF02 as the definitive fix for all identified vulnerabilities. Organizations must prioritize this update given the critical nature of these flaws, particularly the arbitrary command execution capability.
The security bulletin provides no workarounds or mitigations, making immediate patching the only viable defense strategy.
Are you from SOC/DFIR Teams! - Interact with malware in the sandbox and find related IOCs. - Request 14-day free trial
The post IBM QRadar SIEM Vulnerabilities Allows Attackers to Execute Arbitrary Commands appeared first on Cyber Security News.