CVE Alert: CVE-2025-36007 – IBM – QRadar SIEM

Risk verdict

High potential for local privilege escalation on the affected appliance due to misassigned privileges in the update script; no explicit KEV/SSVC exploitation state is shown, so treat as priority 1 only if KEV is true or EPSS ≥ 0.5.

Why this matters

Privilege escalation can enable an attacker to fully control the host, tamper with security controls, and exfiltrate or weaponise sensitive data. The vulnerability affects multiple updates and shows a broad impact profile across confidentiality, integrity, and availability.

Most likely attack path

An attacker with local access (low initial privileges) could exploit the update script’s misassignment to gain elevated rights (privileges: low; impact: high). With unchanged scope, this could allow persistent access, credential abuse, and potential lateral movement to adjacent components if trust boundaries exist around the appliance.

Who is most exposed

organisations that deploy centralised SIEM-like appliances with routine on-host patching; environments where administrators or automated processes have console or root access to the update workflow are more at risk.

Detection ideas

• Alerts for privilege-escalation events tied to update-script execution
• Recent permission/ownership changes on update scripts or related binaries
• Unusual or out-of-window patch installations, especially with elevated privileges
• Process trees showing update scripts spawning high-privilege processes
• Correlated logins from low-privilege accounts followed by privileged actions on the host

Mitigation and prioritisation

• Patch to the fixed UP14 release; verify deployment across all affected hosts
• Harden update scripts: enforce least privilege, remove unnecessary elevated rights
• Restrict local access to the appliance, enforce MFA, and limit maintenance-window access
• Strengthen monitoring: enable detailed process auditing and file integrity checks
• Change-management: test patch in staging, track remediation progress
• If KEV true or EPSS ≥ 0.5, treat as priority 1 and accelerate remediation. If those indicators are absent, monitor closely and re-evaluate as new data arrives.