CVE-2025-36384
📋 TL;DR
This vulnerability allows a local user with filesystem access to escalate privileges on IBM Db2 for Windows systems due to an unquoted search path element. Attackers could execute arbitrary code with higher privileges by placing malicious executables in specific directories. Only Windows installations of IBM Db2 versions 12.1.0 through 12.1.3 are affected.
💻 Affected Systems
- IBM Db2 for Windows
📦 What is this software?
Db2 by Ibm
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains SYSTEM/administrator privileges on the Db2 server, leading to complete compromise of the database system and potential data exfiltration or destruction.
Likely Case
Local user with standard privileges escalates to Db2 service account privileges, enabling unauthorized database access and manipulation.
If Mitigated
With proper access controls limiting local user filesystem access, impact is limited to authorized administrators only.
🎯 Exploit Status
Exploitation requires local access to the filesystem and knowledge of Db2 installation paths. No authentication bypass needed beyond local system access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply fix pack 12.1.4 or later
Vendor Advisory: https://www.ibm.com/support/pages/node/7257678
Restart Required: Yes
Instructions:
1. Download IBM Db2 fix pack 12.1.4 or later from IBM Fix Central. 2. Stop all Db2 services and applications. 3. Apply the fix pack following IBM installation instructions. 4. Restart Db2 services and verify successful installation.
🔧 Temporary Workarounds
Restrict filesystem permissions
windowsLimit write access to directories in the Db2 installation path to prevent malicious executable placement.
icacls "C:\Program Files\IBM\SQLLIB\*" /deny Users:(OI)(CI)W
icacls "C:\Program Files\IBM\SQLLIB\*" /deny Authenticated Users:(OI)(CI)W
Quote service paths
windowsManually edit Windows service configurations to use quoted paths for Db2 services.
sc config "Db2 - DB2COPY1" binPath= "\"C:\Program Files\IBM\SQLLIB\BIN\db2syscs.exe\""
sc config "Db2 Governor - DB2COPY1" binPath= "\"C:\Program Files\IBM\SQLLIB\BIN\db2govd.exe\""
🧯 If You Can't Patch
- Implement strict access controls to limit local user access to Db2 servers
- Monitor for unauthorized privilege escalation attempts using endpoint detection tools
🔍 How to Verify
Check if Vulnerable:
Check Db2 version using 'db2level' command and verify if between 12.1.0 and 12.1.3 on Windows.Check Version:
db2levelVerify Fix Applied:
Run 'db2level' command to confirm version is 12.1.4 or later, and verify service paths are quoted in Windows Services manager.📡 Detection & Monitoring
Log Indicators:
- Unexpected process execution from Db2 installation directories
- Failed privilege escalation attempts in Windows security logs
- Unauthorized service modifications
Network Indicators:
- None - this is a local exploit
SIEM Query:
EventID=4688 AND (ProcessName LIKE '%db2syscs.exe%' OR ProcessName LIKE '%db2govd.exe%') AND ParentProcessName NOT LIKE '%db2%'