+1 973-826-7406|info@avadasoftware.com

Avada Software Logo

IBM MQ Console/REST API XSS vulnerability fixed: CVE-2025-12635 (DT457904)

By |Published On: March 3rd, 2026|3 min read|
Table of Contents

IBM MQ Console/REST API XSS vulnerability fixed: CVE-2025-12635 (DT457904)

IBM published a security bulletin describing how IBM MQ can be affected by a cross-site scripting (XSS) vulnerability in IBM WebSphere Application Server Liberty—the Liberty runtime IBM MQ uses to provide the IBM MQ Console and the IBM MQ REST API.1

What’s the issue?

The vulnerability is tracked as CVE-2025-12635 and is described as improper validation of user-supplied input leading to an XSS condition. IBM notes it could be exploited via a specially crafted URL to redirect a user to a malicious site.21

IBM rates the issue as Medium severity with a CVSS v3.1 base score of 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).13

Who is affected?

IBM lists IBM MQ LTS and Continuous Delivery (CD) release trains as affected across versions 9.1, 9.2, 9.3, and 9.4. The bulletin also explicitly calls out that the affected installable component is “REST API and Console,” so the practical exposure is highest where the MQ Console and/or MQ REST API are installed and in use.14

Fixes: what to patch to
IBM states this was addressed under Known Issue DT457904 and provides the following remediation levels:1

Long Term Support (LTS)

  • IBM MQ 9.1 LTS: apply cumulative security update (CSU) 9.1.0.345
  • IBM MQ 9.2 LTS: apply cumulative security update (CSU) 9.2.0.416
  • IBM MQ 9.3 LTS: apply cumulative security update (CSU) 9.3.0.377
  • IBM MQ 9.4 LTS: apply fix pack 9.4.0.208

Continuous Delivery (CD)

  • IBM MQ 9.3 CD / 9.4 CD: upgrade to IBM MQ 9.4.5 (9.4.5.0) or later.91

Workarounds and mitigations

IBM lists no workarounds or mitigations for this issue; patching or upgrading is the recommended approach.1

Quick triage checklist for MQ admins

  1. Confirm whether the MQ Console and/or MQ REST API is installed and exposed in each environment. If the “REST API and Console” component isn’t installed, the bulletin indicates the vulnerable code path may not be present.1
  2. Identify whether each environment is on LTS or CD, then map the current fix level to the remediation target above.
  3. If you build custom container images: IBM’s component guidance notes that MQ “non-install images” (used for container builds) contain the same components as the full product media at the corresponding level (with limited exceptions). Review your build inputs and ensure they pull the updated fix levels.4

Take the Next Step

If you’re patching this quickly, don’t stop at the fix level—use the same moment to verify your MQ console/REST access controls, browser-facing endpoints, and alerting so the next bulletin doesn’t turn into another fire drill. For a practical hardening checklist, download the guide: Securing Modern IBM MQ Environments.

Endnotes

  1. IBM Security Bulletin: IBM MQ is affected by a vulnerability in IBM WebSphere Application Server Liberty (CVE-2025-12635). https://www.ibm.com/support/pages/node/7261943
  2. CVE Record: CVE-2025-12635. https://www.cve.org/CVERecord?id=CVE-2025-12635
  3. CVSS v3 calculator (FIRST). https://www.first.org/cvss/calculator/3.0
  4. Installable component names used in IBM MQ security bulletins. https://www.ibm.com/support/pages/installable-component-names-used-ibm-mq-security-bulletins
  5. IBM MQ 9.1 LTS: apply cumulative security update (CSU) 9.1.0.34. https://www.ibm.com/support/pages/downloading-ibm-mq-91-lts
  6. IBM MQ 9.2 LTS: apply cumulative security update (CSU) 9.2.0.41. https://www.ibm.com/support/pages/downloading-ibm-mq-92-lts
  7. IBM MQ 9.3 LTS: apply cumulative security update (CSU) 9.3.0.37. https://www.ibm.com/support/pages/downloading-ibm-mq-93-lts
  8. IBM MQ 9.4 LTS: apply fix pack 9.4.0.20. https://www.ibm.com/support/pages/downloading-ibm-mq-94-lts
  9. Downloading IBM MQ 9.4 CD. https://www.ibm.com/support/pages/downloading-ibm-mq-94-cd

Related Posts

IBM MQ Console/REST API XSS vulnerability fixed: CVE-2025-12635 (DT457904)
IBM MQ Console/REST API XSS vulnerability fixed: CVE-2025-12635 (DT457904)
Gallery

IBM MQ Console/REST API XSS vulnerability fixed: CVE-2025-12635 (DT457904)

March 3rd, 2026
Critical Java SDK Vulnerabilities Found in IBM Tivoli Monitoring
Critical Java SDK Vulnerabilities Found in IBM Tivoli Monitoring
Gallery

Critical Java SDK Vulnerabilities Found in IBM Tivoli Monitoring

February 25th, 2026
All Agents Aren’t Created Equal: AI “Agents” vs. Monitoring “Agents”
All Agents Aren’t Created Equal: AI “Agents” vs. Monitoring “Agents”
Gallery

All Agents Aren’t Created Equal: AI “Agents” vs. Monitoring “Agents”

February 17th, 2026
IBM MQ 9.4.5: A practical upgrade for teams modernizing MQ (without breaking what already works)
IBM MQ 9.4.5: A practical upgrade for teams modernizing MQ (without breaking what already works)
Gallery

IBM MQ 9.4.5: A practical upgrade for teams modernizing MQ (without breaking what already works)

February 11th, 2026
DataPower X4 is Coming. Is Your Monitoring Ready?
DataPower X4 is Coming. Is Your Monitoring Ready?
Gallery

DataPower X4 is Coming. Is Your Monitoring Ready?

February 5th, 2026
Mainframe Middleware Monitoring: How to Break the Silo
Mainframe Middleware Monitoring: How to Break the Silo
Gallery

Mainframe Middleware Monitoring: How to Break the Silo

January 29th, 2026
Best of 2025: Top Middleware Trends & Integration Guides
Best of 2025: Top Middleware Trends & Integration Guides
Gallery

Best of 2025: Top Middleware Trends & Integration Guides

January 6th, 2026
A Smarter Way to Handle Message Data: Understanding Context Trees in IBM App Connect Enterprise
A Smarter Way to Handle Message Data: Understanding Context Trees in IBM App Connect Enterprise
Gallery

A Smarter Way to Handle Message Data: Understanding Context Trees in IBM App Connect Enterprise

December 15th, 2025
IBM MQ vulnerability to Slowloris attack: What Your Team Can Do About It
IBM MQ vulnerability to Slowloris attack: What Your Team Can Do About It
Gallery

IBM MQ vulnerability to Slowloris attack: What Your Team Can Do About It

November 25th, 2025
Smarter Than Scripts: How Intelligent Automation Transforms IBM MQ Administration
Smarter Than Scripts: How Intelligent Automation Transforms IBM MQ Administration
Gallery

Smarter Than Scripts: How Intelligent Automation Transforms IBM MQ Administration

November 3rd, 2025

More Infrared360® Resources

Articles & Papers

Overcome the Challenges of Moving Core Banking and Transaction Processing to the Cloud

Secure the Edge with IBM® DataPower® Gateway Appliance

5 Challenges & Solutions When Modernizing Your Middleware Infrastructure

Proactive vs. Forensic – Middleware – Health Monitoring

Seven Middleware Challenges You Must Overcome Before Your Cloud Migration

Monitoring Widely Distributed Environments Without Losing Focus

eBook: Inside IBM MQ Deployment Choices

Contain Costs and Mitigate Risks of Transactions on the Middleware Superhighway

Case Studies

Parker Hannifin Improves Efficiencies Across Business Units with Infrared360® and Trusted Spaces™

Alight Implements Secure, Holistic Self-Service Messaging

Sompo International Builds Business Platform Optimization with SOAP and REST Monitoring

The power of a healthy network: Visiting Nurse Service of New York harnesses IBM, partner technology to streamline patient care.

Video

The Business Case for Modernizing Your MQ Estate Today

Improving Productivity Through Smart, Safe Self-Service

Managing Middleware in Hybrid Cloud

Integrating Data in the Cloud with IBM App Connect

Transforming Your IBM MQ Estate Using Containers

Integration Modernization Lessons Learned

IBM MQ: Enterprise-wide Integration for Modern Distributed Environments

Understanding External Influences on Your Integration Strategy and Direction

Analyst Reports

Peer Reviews for Infrared360®

Avada Software Named a Most Promising IBM Solution Provider for 2023

Avada Software named one of Most Promising IBM Solutions Providers for 2022

A Systems Integrator and Services Provider Cuts Costs, Creates New Revenue Streams While Improving Service Delivery

Infrared360 named one of CIOReview’s 20 Most Promising APM Solution Providers

Analyst Report: Managing an IBM MQ Environment at USBank

CIO Feedback/Data Sheet

About the Author: Scott Treggiari

AVADA SOFTWARE AT A GLANCE

Avada Software’s flagship product, Infrared360®, is an IT management portal providing total administration, monitoring, testing, auditing, analytics dashboards, and self-service for cloud, on-prem, or hybrid environments. Get secure, collaborative management of elements across your IT stack like Kafka®, IBM® MQ, IBM® ACE/IIB, ActiveMQ®, WebSphere®, JBoss®, and Tomcat® Application Servers, URLs, SOAP & REST-based web services, IBM® DataPower® and MQ Appliance.

Latest Insight

The Middleware Blog

March 3rd, 2026|

IBM MQ Appliance Authority Vulnerability (CVE-2026-1713) Addressed: What MQ Teams Should Do Now

Security bulletin recap and upgrade checklist for IBM MQ Appliance 9.4 LTS and 9.4 CD

Key takeaways

  • IBM disclosed and addressed an authority […]
Read More

March 3rd, 2026|

IBM MQ Console/REST API XSS vulnerability fixed: CVE-2025-12635 (DT457904)

IBM published a security bulletin describing how IBM MQ can be affected by a cross-site scripting (XSS) vulnerability in IBM WebSphere Application Server Liberty—the Liberty runtime IBM MQ uses to provide the IBM MQ Console and the IBM MQ REST API.1

What’s the issue?

The vulnerability is tracked as CVE-2025-12635 and is described as improper validation of user-supplied input leading to an XSS […]

Read More

February 25th, 2026|

Understanding the Recent IBM Tivoli Monitoring Java SDK Vulnerabilities

Recently, IBM published a security bulletin addressing multiple vulnerabilities within the IBM SDK Java Technology Edition that is bundled with various IBM Tivoli Monitoring (ITM) components. Because these components are heavily relied upon for enterprise environment monitoring, understanding the scope of these vulnerabilities and applying the necessary patches is crucial for maintaining system integrity.

The core issue stems from five newly disclosed […]

Read More

February 17th, 2026|

AI Agents vs. Monitoring Agents: Why the Difference Matters for IT Operations

If you’ve been following the AI headlines lately, you’ve probably seen “AI agents” everywhere—pitched as autonomous systems that perceive context, reason, plan, and take actions with minimal human intervention. The hype is real, but it’s also creating a very specific kind of confusion:

Enterprises already have strong opinions about “agents.” In IT operations, an “agent” has long meant installed […]

Read More

February 11th, 2026|

IBM MQ 9.4.5: A practical upgrade for teams modernizing MQ (without breaking what already works) IBM MQ has a reputation for doing the unglamorous job extremely well: moving important data, exactly once, across messy enterprise realities. The IBM MQ 9.4.5 announcement (published February 3, 2026) signals something important about where MQ is headed next: more “Kubernetes-native by default,” more self-service operations, and tighter security/observability across hybrid estates.[1]

Rather […]

Read More

February 5th, 2026|

DataPower X4 is Coming. Is Your Monitoring Ready?

The Edge just got sharper.

On March 26, 2026, IBM will officially release the DataPower Gateway X4 appliance and Firmware v11.0. This isn’t just a hardware refresh; it represents a fundamental shift in how enterprises secure the edge.

But here’s the thing:

Upgrading your engine doesn’t matter if you can’t see the dashboard. As you prepare to adopt this new beast of a machine, you […]

Read More

We are proud supporters of:

Avada Software. All Rights Reserved |This website may contain logos and trademarks of third parties. These are the property of their respective owners and are used on this site for informational purposes only. Avada Software does not claim any ownership or association with these trademarks or, except where explicitly stated, their respective organizations. | Privacy Policy
Go to Top