IBM QRadar SIEM vulnerability allows remote command execution
IBM has published a critical security bulletin for its QRadar SIEM platform. Multiple high-severity vulnerabilities affect versions 7.5 through 7.5.0 Update Package 12, including issues that can allow arbitrary command execution, exposure of sensitive data, and compromise of system integrity.
Vulnerability details
| CVE | Description | CVSS | Vector |
|---|---|---|---|
| CVE-2025-33117 | Arbitrary command execution via malicious autoupdate file | 9.1 | Remote privileged |
| CVE-2025-33121 | XML External Entity (XXE) injection; data exfiltration or resource exhaustion | 7.1 | Remote authenticated |
| CVE-2025-36050 | Sensitive information exposure in log files | 6.2 | Local access |
The most severe issue (CVE-2025-33117) enables authenticated attackers to upload malicious files and execute commands across the network. The XXE flaw (CVE-2025-33121) allows processing of malicious XML to expose system information or exhaust resources. IBM states that no viable workarounds exist; immediate patching is essential.
Affected products and remediation
All deployments running QRadar SIEM versions 7.5 through 7.5.0 UP12 IF01 are affected. IBM has released QRadar 7.5.0 UP12 Interim Fix 02 (SFS 20250610184357) to address these vulnerabilities, along with fixes for additional component issues in bundled libraries such as Apache Tomcat and FreeType.
Recommended actions
- Verify deployment versions via the QRadar console.
- Back up all data before upgrading.
- Install the SFS update file across all appliances.
- Ensure no pending configuration changes exist before applying the update.
- Monitor authentication logs for suspicious privileged-account activity until updates are fully deployed.
Source: IBM Support – Security Bulletin: IBM QRadar SIEM contains multiple vulnerabilities