Login Sign Up

CVE-2025-36116

6.3 MEDIUM
Authentication Bypass

📋 TL;DR

IBM Db2 Mirror for i GUI has a cross-site WebSocket hijacking vulnerability that allows unauthenticated attackers to intercept WebSocket connections. This could let attackers perform unauthorized operations by impersonating legitimate users. Affects Db2 Mirror for i versions 7.4, 7.5, and 7.6.

💻 Affected Systems

Products:
  • IBM Db2 Mirror for i
Versions: 7.4, 7.5, 7.6
Operating Systems: IBM i
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the GUI component; requires WebSocket connections to be accessible.

📦 What is this software?

Db2 Mirror For I by Ibm

View all CVEs affecting Db2 Mirror For I →

Db2 Mirror For I by Ibm

View all CVEs affecting Db2 Mirror For I →

Db2 Mirror For I by Ibm

View all CVEs affecting Db2 Mirror For I →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain unauthorized administrative access to Db2 Mirror systems, potentially compromising data integrity, availability, and confidentiality across mirrored databases.

🟠

Likely Case

Attackers perform unauthorized operations within the user's privilege level, potentially modifying configurations, accessing sensitive data, or disrupting mirroring operations.

🟢

If Mitigated

With proper WebSocket security controls and network segmentation, impact is limited to isolated GUI sessions without database access.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Requires attacker to craft malicious requests and have access to WebSocket endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply IBM fix as per advisory

Vendor Advisory: https://www.ibm.com/support/pages/node/7240351

Restart Required: Yes

Instructions:

1. Review IBM advisory 7240351
2. Apply IBM-provided fix for affected Db2 Mirror versions
3. Restart Db2 Mirror services
4. Verify fix implementation

🔧 Temporary Workarounds

Restrict WebSocket Access

all

Limit network access to Db2 Mirror GUI WebSocket endpoints

Configure firewall rules to restrict WebSocket port access to trusted IPs only

Disable Unused GUI Features

IBM i

Disable WebSocket functionality if not required

Consult IBM documentation for disabling specific GUI WebSocket features

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Db2 Mirror GUI from untrusted networks
  • Deploy Web Application Firewall (WAF) with WebSocket protection rules

🔍 How to Verify

Check if Vulnerable:

Check if running affected Db2 Mirror versions 7.4, 7.5, or 7.6 without IBM's security fix

Check Version:

IBM i command: WRKACTJOB to check Db2 Mirror processes and versions

Verify Fix Applied:

Verify fix applied by checking version and consulting IBM fix verification steps

📡 Detection & Monitoring

Log Indicators:

  • Unusual WebSocket connection patterns
  • Failed authentication attempts to WebSocket endpoints
  • Unexpected GUI operations from unusual IPs

Network Indicators:

  • Malformed WebSocket handshake requests
  • Cross-origin WebSocket connections to Db2 Mirror GUI

SIEM Query:

source="db2_mirror_logs" AND (event="websocket_hijack" OR event="unauthorized_gui_operation")

📊 Metadata

CVE ID: CVE-2025-36116
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-1385
EPSS Score: 0.03% exploit probability (7.1th percentile)
Published: July 23, 2025
Last Updated: August 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-36116, you might also want to check these:

CVE-2024-23168 9.8

This vulnerability allows non-local websites to send malicious commands to the WebSocket API in Xiex...

Same vulnerability type (CWE-1385)
CVE-2025-24964 9.6

This vulnerability allows remote attackers to execute arbitrary code on systems running Vitest with ...

Same vulnerability type (CWE-1385)
CVE-2024-48849 9.4

This vulnerability allows attackers to bypass WebSocket origin validation in FLXEON systems, enablin...

Same vulnerability type (CWE-1385)