CVE-2025-36072
8.80.04%
Object Graph Chaos: Inside CVE-2025-36072
Alon Barad
Software EngineerJan 1, 2026·5 min read·2 visits
No Known Exploit
Executive Summary (TL;DR)
IBM webMethods Integration trusts user-supplied Java objects too much. Authenticated users can feed the server a malicious 'graph' object which, upon deserialization, executes arbitrary system commands. Patch immediately.
An authenticated Remote Code Execution (RCE) vulnerability in IBM webMethods Integration caused by unsafe deserialization of object graphs.
Official Patches
Technical Appendix
CVSS Score
8.8/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HEPSS Probability
0.04%
Top 100% most exploited
Affected Systems
IBM webMethods Integration 10.11IBM webMethods Integration 10.15IBM webMethods Integration 11.1
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
webMethods Integration IBM | 10.11 to 10.11_Core_Fix22 | 10.11_Core_Fix23 |
webMethods Integration IBM | 10.15 to 10.15_Core_Fix22 | 10.15_Core_Fix23 |
webMethods Integration IBM | 11.1 to 11.1_Core_Fix6 | 11.1_Core_Fix7 |
| Attribute | Detail |
|---|---|
| CWE | CWE-502 (Deserialization of Untrusted Data) |
| CVSS | 8.8 (High) |
| Attack Vector | Network (Authenticated) |
| Impact | Remote Code Execution (RCE) |
| Platform | Java |
| Exploit Status | No Public PoC (Yet) |
MITRE ATT&CK Mapping
CWE-502
Deserialization of Untrusted Data
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
Vulnerability Timeline
CVE Published
2025-02-14
Security Bulletin Released by IBM
2025-02-28