CVE-2025-36384

High

Published: 30 January 2026

Published

30 January 2026

Modified

05 February 2026

KEV Added

—

Patch

—

CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0001 0.6th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-36384 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Ibm Db2. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Unquoted Path (T1574.009); ranked at the 0.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Path Interception by Unquoted Path (T1574.009). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely identification, reporting, and correction of flaws like the unquoted search path vulnerability in IBM Db2 via vendor-provided patches.

CM-6 Configuration Settings partial match

prevent

Establishes and enforces secure configuration settings for Db2 that can mitigate unquoted search path exploitation through proper path handling and restrictive directory permissions.

AC-6 Least Privilege partial match

prevent

Enforces least privilege on Db2 processes to limit the scope and impact of privilege escalation resulting from unquoted search path hijacking.

MITRE ATT&CK Enterprise TechniquesAI

T1574.009 Path Interception by Unquoted Path Stealth

Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.

attack.mitre.org →

Why these techniques?

Unquoted search path element (CWE-428) directly enables path interception by unquoted path for local privilege escalation via malicious executable placement.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

IBM Db2 for Windows 12.1.0 - 12.1.3 could allow a local user with filesystem access to escalate their privileges due to the use of an unquoted search path element.

Deeper analysisAI

CVE-2025-36384 is a privilege escalation vulnerability in IBM Db2 for Windows versions 12.1.0 through 12.1.3, stemming from the use of an unquoted search path element, classified under CWE-428. This flaw enables a local attacker with filesystem access to execute arbitrary code with elevated privileges when Db2 invokes certain binaries. The vulnerability carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its local attack vector, low complexity, and potential for complete system compromise.

A local user with filesystem access, requiring no special privileges (PR:N), can exploit this by placing a malicious executable in a directory that precedes legitimate paths in the system's search order. When Db2 launches the affected component, the attacker's binary executes instead, potentially granting high levels of confidentiality, integrity, and availability impact, such as full administrative control over the system.

IBM's security advisory at https://www.ibm.com/support/pages/node/7257678 provides details on mitigation, including recommended patches for affected Db2 versions. Security practitioners should apply these updates promptly and review systems for unquoted path configurations in Db2 installations.