Cyber Resilience

CVE-2025-36365

Medium

Published: 30 January 2026

Published
30 January 2026
Modified
05 February 2026
KEV Added
Patch
CVSS Score v3.1 6.8 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0002 3.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-36365 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Ibm Db2. Its CVSS base score is 6.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-36365 is an authorization bypass vulnerability (CWE-639) affecting IBM Db2 for Linux, UNIX, and Windows, including Db2 Connect Server, in versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3. The issue arises under specific configurations of cataloged remote storage aliases, where an authenticated user can execute unauthorized commands by using a user-controlled key. It was published on 2026-01-30 with a CVSS v3.1 base score of 6.8 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N).

An authenticated user with low privileges (PR:L) can exploit this vulnerability over the network (AV:N), though it requires high attack complexity (AC:H) and no user interaction (UI:N). Successful exploitation results in high impacts to confidentiality and integrity (C:H/I:H) with no availability impact (A:N), allowing the execution of unauthorized commands.

IBM provides details on mitigation and patches in their security bulletin at https://www.ibm.com/support/pages/node/7257665.

EU & UK References

Vulnerability details

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 under specific configuration of cataloged remote storage aliases could allow an authenticated user to execute unauthorized commands due to an authorization bypass…

more

vulnerability using a user-controlled key.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authorization bypass in network-accessible Db2 server directly enables exploitation of a public-facing application to execute unauthorized commands.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-36247Same product: Ibm Db2
CVE-2025-36384Same product: Ibm Db2
CVE-2025-36070Same product: Ibm Db2
CVE-2025-36442Same product: Ibm Db2
CVE-2025-36184Same product: Ibm Db2
CVE-2023-49886Same vendor: Ibm
CVE-2024-39750Same vendor: Ibm
CVE-2026-9170Same vendor: Ibm
CVE-2026-8175Same vendor: Ibm
CVE-2026-7876Same vendor: Ibm

Affected Assets

ibm
db2
11.5.0 — 11.5.9 · 11.5.0 — 11.5.9 · 11.5.0 — 11.5.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations for remote storage aliases, blocking the user-controlled key bypass that allows unauthorized command execution.

prevent

Requires the system to use reliable access-control decision information rather than attacker-supplied keys when authorizing Db2 remote-storage operations.

prevent

Limits the privileges granted to authenticated users, reducing the impact of any authorization bypass on cataloged remote storage aliases.

References