CVE-2025-36365

Medium

Published: 30 January 2026

Published

30 January 2026

Modified

05 February 2026

KEV Added

—

Patch

—

CVSS Score 6.8 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0001 2.9th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-36365 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Ibm Db2. Its CVSS base score is 6.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190).

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AC-24 Access Control Decisions

addresses: CWE-639

Per-request decision making makes it harder to bypass authorization using user-controlled keys without proper validation in the decision process.

AC-3 Access Enforcement

addresses: CWE-639

Consistent enforcement of approved authorizations makes bypassing via user-controlled keys ineffective.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Authorization bypass in network-accessible Db2 server directly enables exploitation of a public-facing application to execute unauthorized commands.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 under specific configuration of cataloged remote storage aliases could allow an authenticated user to execute unauthorized commands due to an authorization bypass…

vulnerability using a user-controlled key.

Deeper analysisAI

CVE-2025-36365 is an authorization bypass vulnerability (CWE-639) affecting IBM Db2 for Linux, UNIX, and Windows, including Db2 Connect Server, in versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3. The issue arises under specific configurations of cataloged remote storage aliases, where an authenticated user can execute unauthorized commands by using a user-controlled key. It was published on 2026-01-30 with a CVSS v3.1 base score of 6.8 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N).

An authenticated user with low privileges (PR:L) can exploit this vulnerability over the network (AV:N), though it requires high attack complexity (AC:H) and no user interaction (UI:N). Successful exploitation results in high impacts to confidentiality and integrity (C:H/I:H) with no availability impact (A:N), allowing the execution of unauthorized commands.

IBM provides details on mitigation and patches in their security bulletin at https://www.ibm.com/support/pages/node/7257665.

Details

CWE(s): CWE-639

Affected Products

ibm

db2

11.5.0 — 11.5.9 · 11.5.0 — 11.5.9 · 11.5.0 — 11.5.9

CVEs Like This One

CVE-2025-36070Same product: Ibm Db2

CVE-2025-36247Same product: Ibm Db2

CVE-2025-36384Same product: Ibm Db2

CVE-2025-36442Same product: Ibm Db2

CVE-2025-36184Same product: Ibm Db2

CVE-2024-49352Same vendor: Ibm

CVE-2023-49886Same vendor: Ibm

CVE-2026-1343Same vendor: Ibm

CVE-2025-14914Same vendor: Ibm

CVE-2025-36379Same vendor: Ibm

References

https://www.ibm.com/support/pages/node/7257665
Patch, Vendor Advisory · psirt@us.ibm.com