CVE-2025-36184
Published: 30 January 2026
Summary
CVE-2025-36184 is a high-severity Execution with Unnecessary Privileges (CWE-250) vulnerability in Ibm Db2. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-36184 is a privilege escalation vulnerability in IBM Db2 for Linux, UNIX, and Windows, including Db2 Connect Server, affecting versions 11.5.0 through 11.5.9. The issue stems from the execution of unnecessary privileges at a higher than minimum level (CWE-250), which could allow an instance owner to execute malicious code and escalate their privileges to root. It has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-01-30.
An attacker with instance owner privileges (PR:H) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation grants high-impact access to confidentiality, integrity, and availability (C:H/I:H/A:H), enabling full root-level control on the affected system without changing scope (S:U).
The IBM security advisory at https://www.ibm.com/support/pages/node/7257519 provides details on mitigation, including available patches for the affected Db2 versions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206556
Vulnerability details
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 could allow an instance owner to execute malicious code that escalate their privileges to root due to execution of unnecessary privileges operated at a higher than…
more
minimum level.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct privilege escalation vulnerability (CWE-250) allowing instance owner to execute malicious code and gain root via exploitation of unnecessary elevated privileges in Db2 server software.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires that processes and users (including the Db2 instance owner) operate only with the minimum privileges needed, eliminating the unnecessary high-level privileges that enable root escalation.
Enforces access-control policies that restrict the Db2 instance from performing actions or retaining rights beyond those explicitly authorized, blocking the privilege-escalation path to root.
Requires timely installation of vendor patches that correct the unnecessary-privilege flaw in the affected Db2 versions.