Cyber Resilience

CVE-2025-36384

High

Published: 30 January 2026

Published
30 January 2026
Modified
05 February 2026
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0016 5.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-36384 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Ibm Db2. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Unquoted Path (T1574.009); ranked at the 5.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-36384 is a privilege escalation vulnerability in IBM Db2 for Windows versions 12.1.0 through 12.1.3, stemming from the use of an unquoted search path element, classified under CWE-428. This flaw enables a local attacker with filesystem access to execute arbitrary code with elevated privileges when Db2 invokes certain binaries. The vulnerability carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its local attack vector, low complexity, and potential for complete system compromise.

A local user with filesystem access, requiring no special privileges (PR:N), can exploit this by placing a malicious executable in a directory that precedes legitimate paths in the system's search order. When Db2 launches the affected component, the attacker's binary executes instead, potentially granting high levels of confidentiality, integrity, and availability impact, such as full administrative control over the system.

IBM's security advisory at https://www.ibm.com/support/pages/node/7257678 provides details on mitigation, including recommended patches for affected Db2 versions. Security practitioners should apply these updates promptly and review systems for unquoted path configurations in Db2 installations.

EU & UK References

Vulnerability details

IBM Db2 for Windows 12.1.0 - 12.1.3 could allow a local user with filesystem access to escalate their privileges due to the use of an unquoted search path element.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.009 Path Interception by Unquoted Path Stealth
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
Why these techniques?

Unquoted search path element (CWE-428) directly enables path interception by unquoted path for local privilege escalation via malicious executable placement.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-36365Same product: Ibm Db2
CVE-2025-36070Same product: Ibm Db2
CVE-2025-36442Same product: Ibm Db2
CVE-2025-36247Same product: Ibm Db2
CVE-2025-36184Same product: Ibm Db2
CVE-2023-54336Shared CWE-428
CVE-2020-36979Shared CWE-428
CVE-2022-50929Shared CWE-428
CVE-2022-50924Shared CWE-428
CVE-2019-25231Shared CWE-428

Affected Assets

ibm
db2
12.1.0 — 12.1.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and correction of flaws like the unquoted search path vulnerability in IBM Db2 via vendor-provided patches.

prevent

Establishes and enforces secure configuration settings for Db2 that can mitigate unquoted search path exploitation through proper path handling and restrictive directory permissions.

prevent

Enforces least privilege on Db2 processes to limit the scope and impact of privilege escalation resulting from unquoted search path hijacking.

References