Cyber Resilience

CVE-2025-36376

Medium

Published: 17 February 2026

Published
17 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v3.1 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0019 8.1th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2025-36376 is a medium-severity Insufficient Session Expiration (CWE-613) vulnerability in Ibm Security Qradar Edr. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Session Cookie (T1550.004); ranked at the 8.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-36376 affects IBM Security QRadar EDR versions 3.12 through 3.12.23. The vulnerability stems from the application's failure to invalidate sessions after expiration, classified under CWE-613 (Insufficient Session Expiration). This flaw has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity with network accessibility, low attack complexity, and low privileges required.

An authenticated user with low privileges can exploit this issue remotely over the network without user interaction. By continuing to use an expired session token belonging to another user, the attacker can impersonate that user, potentially gaining unauthorized access to limited confidential data, modifying system resources, or disrupting low-level availability.

IBM has published a security advisory at https://www.ibm.com/support/pages/node/7260390 providing details on the vulnerability and remediation steps. Security practitioners should consult this bulletin for patch availability and mitigation guidance specific to affected QRadar EDR deployments.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

IBM Security QRadar EDR 3.12 through 3.12.23 does not invalidate session after a session expiration which could allow an authenticated user to impersonate another user on the system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Insufficient session expiration directly enables reuse of expired web session tokens for impersonation of valid accounts.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-36377Same vendor: Ibm
CVE-2026-29092Shared CWE-613
CVE-2024-13280Shared CWE-613
CVE-2024-45033Shared CWE-613
CVE-2025-13691Same vendor: Ibm
CVE-2026-5065Same vendor: Ibm
CVE-2023-35907Same vendor: Ibm
CVE-2024-45643Same product: Ibm Security Qradar Edr
CVE-2025-56643Shared CWE-613
CVE-2025-13688Same vendor: Ibm

Affected Assets

ibm
security qradar edr
3.12.0 — 3.12.24

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires invalidation of user sessions upon expiration, eliminating the exact flaw that permits continued use of expired tokens for impersonation.

prevent

Enforces that access decisions are based only on currently valid authenticated sessions, blocking the reuse of expired tokens to impersonate other users.

prevent

Protects session authenticity by ensuring identifiers and tokens cannot be trivially reused after expiration, mitigating the session-impersonation vector.

References