CVE-2025-36376
Published: 17 February 2026
Summary
CVE-2025-36376 is a medium-severity Insufficient Session Expiration (CWE-613) vulnerability in Ibm Security Qradar Edr. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Web Session Cookie (T1550.004); ranked at the 8.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2025-36376 affects IBM Security QRadar EDR versions 3.12 through 3.12.23. The vulnerability stems from the application's failure to invalidate sessions after expiration, classified under CWE-613 (Insufficient Session Expiration). This flaw has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity with network accessibility, low attack complexity, and low privileges required.
An authenticated user with low privileges can exploit this issue remotely over the network without user interaction. By continuing to use an expired session token belonging to another user, the attacker can impersonate that user, potentially gaining unauthorized access to limited confidential data, modifying system resources, or disrupting low-level availability.
IBM has published a security advisory at https://www.ibm.com/support/pages/node/7260390 providing details on the vulnerability and remediation steps. Security practitioners should consult this bulletin for patch availability and mitigation guidance specific to affected QRadar EDR deployments.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207852
Vulnerability details
IBM Security QRadar EDR 3.12 through 3.12.23 does not invalidate session after a session expiration which could allow an authenticated user to impersonate another user on the system.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Insufficient session expiration directly enables reuse of expired web session tokens for impersonation of valid accounts.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires invalidation of user sessions upon expiration, eliminating the exact flaw that permits continued use of expired tokens for impersonation.
Enforces that access decisions are based only on currently valid authenticated sessions, blocking the reuse of expired tokens to impersonate other users.
Protects session authenticity by ensuring identifiers and tokens cannot be trivially reused after expiration, mitigating the session-impersonation vector.