IBM webMethods Integration Server Privilege Escalation via pub.scheduler.addOneTimeTask (CVE-2025-36048)

Critical Vulnerability Information Vulnerability Overview CVE ID: CVE-2025-36048 Description: IBM webMethods Integration Server is affected by a privilege escalation vulnerability via the pub.scheduler.addOneTimeTask service. This vulnerability allows privileged users to escalate their privileges due to unnecessary privilege execution when processing external entities. Vulnerability Details CWE: CWE-250 - Execution with Unnecessary Privileges CVSS Score: 7.2 CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) Affected Products and Versions Remediation It is strongly recommended to immediately apply the mentioned core fixes or subsequent core fixes, and follow the corresponding remediation documentation. Specific fixed versions: - IS_10.5_Core_Fix29 or higher - IS_10.7_Core_Fix23 or higher - IS_10.11_Core_Fix12 or higher - IS_10.15_Core_Fix14 or higher Workarounds and Mitigations None Reporter The vulnerability was reported to IBM by Rob Maslen (rob.maslen@mdsec.co.uk). Update History June 18, 2025: CVE information updated June 18, 2025: Initial release

Goal Reached Thanks to every supporter — we hit 100%!

IBM webMethods Integration Server Privilege Escalation via pub.scheduler.addOneTimeTask (CVE-2025-36048)