Introduction
Remote code execution by authenticated users in enterprise integration infrastructure can lead to full compromise of business-critical workflows and data. CVE-2025-36072 exposes IBM webMethods Integration Server deployments to this exact risk, allowing attackers with valid credentials to trigger arbitrary code execution through unsafe deserialization.
About IBM webMethods Integration Server: IBM webMethods Integration Server is a widely adopted enterprise application integration platform, originally developed by Software AG and now part of IBM's integration portfolio. It is used by large organizations to connect disparate business applications and automate workflows. Its critical role in enterprise environments means vulnerabilities can have significant operational and security impact.
Technical Information
CVE-2025-36072 is a deserialization vulnerability (CWE-502) affecting IBM webMethods Integration Server. The vulnerability arises from the server's handling of serialized Java object graphs received via internal APIs or protocols such as IDataBin. Specifically, the server does not sufficiently validate or restrict which classes can be deserialized, allowing an attacker to submit a crafted serialized object graph that leverages a gadget chain present in the classpath.
Attackers must be authenticated and have service execution privileges. By sending a malicious serialized object to the vulnerable endpoint, the attacker triggers the deserialization process. If the object graph is constructed to exploit a gadget chain, arbitrary code execution occurs with the privileges of the Integration Server process. This can enable lateral movement, data exfiltration, or persistent access within the enterprise network.
No public code snippets or proof of concept details are available for this vulnerability. The attack does not require user interaction beyond authentication and service invocation.
Affected Systems and Versions
- IBM webMethods Integration Server 10.11 through 10.11_Core_Fix22
- IBM webMethods Integration Server 10.15 through 10.15_Core_Fix22
- IBM webMethods Integration Server 11.1 through 11.1_Core_Fix6
Any deployment running these versions without the latest core fixes is vulnerable. The vulnerability requires that the attacker be authenticated with service execution privileges.
Vendor Security History
IBM webMethods Integration Server and related products have experienced multiple deserialization and input validation vulnerabilities in recent years. Prior advisories have addressed similar flaws, including remote code execution via unsafe deserialization and format string vulnerabilities. IBM typically issues security bulletins and patches in a timely manner, but the recurrence of these issues highlights the need for ongoing vigilance and rapid patching by enterprise customers.
