CVE-2025-36247

High

Published: 17 February 2026

Published

17 February 2026

Modified

18 February 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

EPSS Score 0.0024 46.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to…

expose sensitive information or consume memory resources.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the XXE vulnerability by identifying, reporting, and applying vendor patches as recommended in IBM's security advisory.

SI-10 Information Input Validation good match

prevent

Prevents XXE exploitation by validating XML inputs to block malicious external entity references during Db2 XML processing.

CM-6 Configuration Settings good match

prevent

Enforces secure configuration of Db2's XML parsers to disable external entity processing and reflect least functionality.

Security SummaryAI

CVE-2025-36247 is an XML external entity injection (XXE) vulnerability, classified under CWE-611, affecting IBM Db2 for Linux, UNIX, and Windows, including Db2 Connect Server, in versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3. The issue occurs when the software processes XML data, potentially allowing injection of malicious external entities.

A remote attacker with low privileges can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation enables disclosure of sensitive information due to high confidentiality impact or consumption of memory resources resulting in limited availability impact, consistent with the CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L).

IBM provides details on mitigation and patches in their security advisory at https://www.ibm.com/support/pages/node/7259961.

Details

CWE(s): CWE-611

Affected Products

ibm

db2

11.5.0 — 11.5.9 · 11.5.0 — 11.5.9 · 11.5.0 — 11.5.9

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

XXE enables exploitation of remote Db2 service (T1210) for local file disclosure (T1005) and memory exhaustion DoS (T1499.004), matching high confidentiality and low availability impacts.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.ibm.com/support/pages/node/7259961
Vendor Advisory · psirt@us.ibm.com