Cyber Resilience

CVE-2025-36184

High

Published: 30 January 2026

Published
30 January 2026
Modified
05 February 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0004 13.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-36184 is a high-severity Execution with Unnecessary Privileges (CWE-250) vulnerability in Ibm Db2. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-36184 is a privilege escalation vulnerability in IBM Db2 for Linux, UNIX, and Windows, including Db2 Connect Server, affecting versions 11.5.0 through 11.5.9. The issue stems from the execution of unnecessary privileges at a higher than minimum level (CWE-250), which could allow an instance owner to execute malicious code and escalate their privileges to root. It has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-01-30.

An attacker with instance owner privileges (PR:H) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation grants high-impact access to confidentiality, integrity, and availability (C:H/I:H/A:H), enabling full root-level control on the affected system without changing scope (S:U).

The IBM security advisory at https://www.ibm.com/support/pages/node/7257519 provides details on mitigation, including available patches for the affected Db2 versions.

EU & UK References

Vulnerability details

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 could allow an instance owner to execute malicious code that escalate their privileges to root due to execution of unnecessary privileges operated at a higher than…

more

minimum level.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct privilege escalation vulnerability (CWE-250) allowing instance owner to execute malicious code and gain root via exploitation of unnecessary elevated privileges in Db2 server software.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-36070Same product: Ibm Db2
CVE-2025-36247Same product: Ibm Db2
CVE-2025-36384Same product: Ibm Db2
CVE-2026-3623Same vendor: Ibm
CVE-2025-36442Same product: Ibm Db2
CVE-2024-49814Same vendor: Ibm
CVE-2025-36365Same product: Ibm Db2
CVE-2026-1346Same vendor: Ibm
CVE-2026-2311Same vendor: Ibm
CVE-2025-14604Same vendor: Ibm

Affected Assets

ibm
db2
11.5.0 — 11.5.9 · 11.5.0 — 11.5.9 · 11.5.0 — 11.5.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires that processes and users (including the Db2 instance owner) operate only with the minimum privileges needed, eliminating the unnecessary high-level privileges that enable root escalation.

prevent

Enforces access-control policies that restrict the Db2 instance from performing actions or retaining rights beyond those explicitly authorized, blocking the privilege-escalation path to root.

prevent

Requires timely installation of vendor patches that correct the unnecessary-privilege flaw in the affected Db2 versions.

References