CVE-2025-36184
Published: 30 January 2026
Summary
CVE-2025-36184 is a high-severity Execution with Unnecessary Privileges (CWE-250) vulnerability in Ibm Db2. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 10.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Policy promotes least privilege by defining necessary privileges and management commitment to them.
Supervision detects and allows removal of unnecessary privileges that enable execution with excess rights.
Reviewing accounts for compliance, disabling/removing unneeded accounts, and aligning with termination processes prevents execution with unnecessary privileges.
Separation of duties prevents any single user from holding all privileges needed to complete a critical task, directly reducing execution with unnecessary privileges.
Directly prevents execution with more privileges than needed for assigned tasks.
Role-based training on least privilege principles reduces the chance personnel assign or retain unnecessary privileges.
Analysis of audit records can identify execution with unnecessary privileges through unusual activity patterns.
Automatic termination after a defined period eliminates unnecessary privileges from persistent connections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct privilege escalation vulnerability (CWE-250) allowing instance owner to execute malicious code and gain root via exploitation of unnecessary elevated privileges in Db2 server software.
NVD Description
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 could allow an instance owner to execute malicious code that escalate their privileges to root due to execution of unnecessary privileges operated at a higher than…
more
minimum level.
Deeper analysisAI
CVE-2025-36184 is a privilege escalation vulnerability in IBM Db2 for Linux, UNIX, and Windows, including Db2 Connect Server, affecting versions 11.5.0 through 11.5.9. The issue stems from the execution of unnecessary privileges at a higher than minimum level (CWE-250), which could allow an instance owner to execute malicious code and escalate their privileges to root. It has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-01-30.
An attacker with instance owner privileges (PR:H) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation grants high-impact access to confidentiality, integrity, and availability (C:H/I:H/A:H), enabling full root-level control on the affected system without changing scope (S:U).
The IBM security advisory at https://www.ibm.com/support/pages/node/7257519 provides details on mitigation, including available patches for the affected Db2 versions.
Details
- CWE(s)