CVE-2025-13867 – This vulnerability in IBM Db2 allows authentica... (How to Fix)

Q: What is the severity of CVE-2025-13867?

CVE-2025-13867 has a CVSS score of 6.5 (MEDIUM). This vulnerability in IBM Db2 allows authenticated users to cause denial of service by exploiting improper input sanitization in data query logic. It affects Db2 versions 11.5.0-11.5.9 and 12.1.0-12.1.3 on Linux, UNIX, and Windows systems. Attackers with database credentials can disrupt database availability.

📋 TL;DR

This vulnerability in IBM Db2 allows authenticated users to cause denial of service by exploiting improper input sanitization in data query logic. It affects Db2 versions 11.5.0-11.5.9 and 12.1.0-12.1.3 on Linux, UNIX, and Windows systems. Attackers with database credentials can disrupt database availability.

💻 Affected Systems

Products:

IBM Db2 for Linux, UNIX and Windows
IBM Db2 Connect Server

Versions: 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3

Operating Systems: Linux, UNIX, Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated database user access; affects both standard and Connect Server editions.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database unavailability affecting all dependent applications and services, requiring database restart or recovery procedures.

🟠

Likely Case

Partial or intermittent database service disruption affecting specific queries or connections, degrading application performance.

🟢

If Mitigated

Minimal impact with proper authentication controls and query monitoring in place.

🌐 Internet-Facing: MEDIUM - Requires authentication but internet-facing databases are more exposed to credential attacks.

🏢 Internal Only: MEDIUM - Internal authenticated users could still exploit, though attack surface is smaller.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access and knowledge of specific query patterns to trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply fixes from IBM: 11.5.9.0a and 12.1.3.0a or later

Vendor Advisory: https://www.ibm.com/support/pages/node/7259963

Restart Required: Yes

Instructions:

1. Download appropriate fix from IBM Fix Central. 2. Apply fix following IBM Db2 update procedures. 3. Restart Db2 instance. 4. Verify version with db2level command.

🔧 Temporary Workarounds

Restrict Database User Privileges

all

Limit authenticated users to minimal necessary privileges to reduce attack surface.

REVOKE EXECUTE ON PROCEDURE <procedure_name> FROM <user>
REVOKE SELECT ON TABLE <table_name> FROM <user>

Implement Query Monitoring

all

Monitor and alert on unusual query patterns that could trigger the vulnerability.

db2pd -db <dbname> -dynamic
db2 get snapshot for database on <dbname>

🧯 If You Can't Patch

Implement strict principle of least privilege for all database users
Deploy network segmentation and firewall rules to restrict database access to trusted sources only

🔍 How to Verify

Check if Vulnerable:

Check Db2 version with db2level command and compare against affected versions 11.5.0-11.5.9 or 12.1.0-12.1.3.

Check Version:

db2level

Verify Fix Applied:

Run db2level command and verify version is 11.5.9.0a or later, or 12.1.3.0a or later.

📡 Detection & Monitoring

Log Indicators:

Unexpected database crashes or restarts
Error messages related to query processing failures
High CPU/memory usage spikes from database processes

Network Indicators:

Increased failed connection attempts to database
Unusual query patterns from authenticated users

SIEM Query:

source="db2*" AND (event_type="crash" OR error_code="SQL*" OR message="*denial*" OR message="*service*" OR message="*query*")

📊 Metadata

CVE ID: CVE-2025-13867

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-1284

Published: February 17, 2026

Last Updated: February 18, 2026

🔗 References

https://www.ibm.com/support/pages/node/7259963 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13867, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Db2 by Ibm

Db2 by Ibm

Db2 by Ibm

Db2 by Ibm

Db2 by Ibm

Db2 by Ibm

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict Database User Privileges

Implement Query Monitoring

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities