Object Graph Chaos: Inside CVE-2025-36072

Alon Barad

Software Engineer

Jan 1, 2026·5 min read·1 visit

No Known Exploit

Executive Summary (TL;DR)

IBM webMethods Integration trusts user-supplied Java objects too much. Authenticated users can feed the server a malicious 'graph' object which, upon deserialization, executes arbitrary system commands. Patch immediately.

An authenticated Remote Code Execution (RCE) vulnerability in IBM webMethods Integration caused by unsafe deserialization of object graphs.

Attack Flow Diagram

Official Patches

IBMIBM Security Bulletin 7252090

Technical Appendix

CVSS Score

8.8/ 10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

0.04%

Top 100% most exploited

Affected Systems

IBM webMethods Integration 10.11IBM webMethods Integration 10.15IBM webMethods Integration 11.1

Affected Versions Detail

Product	Affected Versions	Fixed Version
webMethods Integration IBM	10.11 to 10.11_Core_Fix22	10.11_Core_Fix23
webMethods Integration IBM	10.15 to 10.15_Core_Fix22	10.15_Core_Fix23
webMethods Integration IBM	11.1 to 11.1_Core_Fix6	11.1_Core_Fix7

Attribute	Detail
CWE	CWE-502 (Deserialization of Untrusted Data)
CVSS	8.8 (High)
Attack Vector	Network (Authenticated)
Impact	Remote Code Execution (RCE)
Platform	Java
Exploit Status	No Public PoC (Yet)

MITRE ATT&CK Mapping

T1203Exploitation for Client Execution

Execution

T1059.007Command and Scripting Interpreter: JavaScript

Execution

T1559Inter-Process Communication

Execution

CWE-502

Deserialization of Untrusted Data

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

Vulnerability Timeline

CVE Published

2025-02-14

Security Bulletin Released by IBM

2025-02-28

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.