IBM QRadar SIEM: Autoupdate files can be infected with malicious code

Attackers can exploit several vulnerabilities in IBM QRadar SIEM and, in the worst case, execute malicious code. A security patch closes several gaps.

Preventing attacks

As the developers state in a warning message, versions 7.5 up to and including 7.5.0 UP12 IF01 are vulnerable. The most dangerous is a “critical” vulnerability (CVE-2025-33117/no EUVD) in the context of the auto-update function. Attackers with unspecified user rights can use a prepared auto-update file here. They can then use it to execute their commands and compromise systems. In addition, in two cases (CVE-2025-36050, risk “medium”; CVE-2025-33121, “high”) data can be accessed without authorization. The details of how such attacks could take place are currently unknown.

A second warning message indicates that other components are also at risk. For example, the processing of a manipulated XML document can lead to memory errors and ultimately to crashes (CV-2024-8176, “high”). In addition, attackers can also inject victims with files containing malicious code in a context that is actually trustworthy (CVE-2024-12087, “medium”).

Install an update

IBM QRadar 7.5.0 UP12 IF02 is equipped against the attacks described. So far, there are no indications of attacks. IBM’s developers do not currently specify how admins can recognize instances that have already been successfully attacked. Admins should not delay too long with the installation.

Most recently, there were important security updates for IBM /AIX/VIOS and DataPower Gateway. Malicious code attacks are conceivable at these points. Security updates are also available for download in this case.

(des)