Login Sign Up

CVE-2025-36247

7.1 HIGH
Denial of Service XXE

📋 TL;DR

IBM Db2 databases running vulnerable versions are susceptible to XML external entity injection (XXE) attacks when processing XML data. This allows remote attackers to read sensitive files from the server or cause denial of service through resource consumption. Affected systems include Db2 versions 11.5.0-11.5.9 and 12.1.0-12.1.3 on Linux, UNIX, and Windows platforms.

💻 Affected Systems

Products:
  • IBM Db2 for Linux, UNIX and Windows
  • IBM Db2 Connect Server
Versions: 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3
Operating Systems: Linux, UNIX, Windows
Default Config Vulnerable: ⚠️ Yes
Notes: All installations processing XML data are vulnerable. The vulnerability exists in the XML parser component.

📦 What is this software?

Db2 by Ibm

View all CVEs affecting Db2 →

Db2 by Ibm

View all CVEs affecting Db2 →

Db2 by Ibm

View all CVEs affecting Db2 →

Db2 by Ibm

View all CVEs affecting Db2 →

Db2 by Ibm

View all CVEs affecting Db2 →

Db2 by Ibm

View all CVEs affecting Db2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server file system disclosure including configuration files, credentials, and sensitive data, potentially leading to full system compromise.

🟠

Likely Case

Partial file disclosure of accessible files and potential denial of service through memory exhaustion.

🟢

If Mitigated

Limited impact with proper network segmentation and XML processing restrictions.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

XXE vulnerabilities typically have low exploitation complexity. Attack requires ability to submit XML data to vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply fixes from IBM Security Bulletin

Vendor Advisory: https://www.ibm.com/support/pages/node/7259961

Restart Required: Yes

Instructions:

1. Review IBM Security Bulletin. 2. Apply appropriate fix pack or interim fix. 3. Restart Db2 services. 4. Verify fix application.

🔧 Temporary Workarounds

Disable external entity processing

all

Configure XML parser to disallow external entity resolution

Set DB2_XML_XINCLUDE to NO
Set DB2_XML_XINCLUDE_FIXUP to NO

Restrict XML input sources

all

Implement input validation to restrict XML processing to trusted sources only

🧯 If You Can't Patch

  • Implement network segmentation to restrict access to Db2 servers
  • Deploy web application firewall with XXE protection rules

🔍 How to Verify

Check if Vulnerable:

Check Db2 version using 'db2level' command and compare against affected versions

Check Version:

db2level | grep "Product installed"

Verify Fix Applied:

Verify version after patch application and test XML processing functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual XML processing errors
  • File access attempts via XML parsing
  • Memory exhaustion alerts

Network Indicators:

  • XML payloads containing external entity references
  • Unusual outbound connections from Db2 server

SIEM Query:

source="db2*" AND ("XML" OR "ENTITY") AND ("error" OR "exception")

📊 Metadata

CVE ID: CVE-2025-36247
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
CWE: CWE-611
Published: February 17, 2026
Last Updated: February 18, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-36247, you might also want to check these:

CVE-2022-22486 10.0

This CVE describes an XML External Entity (XXE) vulnerability in IBM Tivoli Workload Scheduler that ...

Same vulnerability type (CWE-611)
CVE-2025-30220 9.9

This XXE vulnerability in GeoServer's GeoTools Schema class allows attackers to read arbitrary files...

Same vulnerability type (CWE-611)
CVE-2023-27874 9.9

IBM Aspera Faspex 4.4.2 contains an XML external entity injection (XXE) vulnerability that allows au...

Same vulnerability type (CWE-611)