CVE-2025-36365
Published: 30 January 2026
Summary
CVE-2025-36365 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Ibm Db2. Its CVSS base score is 6.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2025-36365 is an authorization bypass vulnerability (CWE-639) affecting IBM Db2 for Linux, UNIX, and Windows, including Db2 Connect Server, in versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3. The issue arises under specific configurations of cataloged remote storage aliases, where an authenticated user can execute unauthorized commands by using a user-controlled key. It was published on 2026-01-30 with a CVSS v3.1 base score of 6.8 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N).
An authenticated user with low privileges (PR:L) can exploit this vulnerability over the network (AV:N), though it requires high attack complexity (AC:H) and no user interaction (UI:N). Successful exploitation results in high impacts to confidentiality and integrity (C:H/I:H) with no availability impact (A:N), allowing the execution of unauthorized commands.
IBM provides details on mitigation and patches in their security bulletin at https://www.ibm.com/support/pages/node/7257665.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206558
Vulnerability details
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 under specific configuration of cataloged remote storage aliases could allow an authenticated user to execute unauthorized commands due to an authorization bypass…
more
vulnerability using a user-controlled key.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass in network-accessible Db2 server directly enables exploitation of a public-facing application to execute unauthorized commands.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved authorizations for remote storage aliases, blocking the user-controlled key bypass that allows unauthorized command execution.
Requires the system to use reliable access-control decision information rather than attacker-supplied keys when authorizing Db2 remote-storage operations.
Limits the privileges granted to authenticated users, reducing the impact of any authorization bypass on cataloged remote storage aliases.