CVE-2025-36004 Overview
CVE-2025-36004 is a privilege escalation vulnerability affecting IBM i versions 7.2, 7.3, 7.4, and 7.5. The vulnerability exists in IBM Facsimile Support for i due to an unqualified library call, which could allow a low-privileged user to execute user-controlled code with administrator privileges. This type of vulnerability (CWE-427: Uncontrolled Search Path Element) occurs when software uses a search path to locate critical resources without properly restricting which directories can be searched.
Critical Impact
A malicious actor with low-privilege access could exploit this vulnerability to gain administrator privileges on affected IBM i systems, potentially leading to complete system compromise with full confidentiality, integrity, and availability impact.
Affected Products
- IBM i 7.2
- IBM i 7.3
- IBM i 7.4
- IBM i 7.5
Discovery Timeline
- June 25, 2025 - CVE-2025-36004 published to NVD
- July 3, 2025 - Last updated in NVD database
Technical Details for CVE-2025-36004
Vulnerability Analysis
The vulnerability in IBM Facsimile Support for i stems from an unqualified library call, classified under CWE-427 (Uncontrolled Search Path Element). In IBM i environments, library lists determine the order in which the system searches for objects. When a program makes an unqualified library call—meaning it references a library object without specifying the full path—the system searches through the library list in order until it finds a matching object.
An attacker with low-privilege network access can exploit this behavior by placing a malicious library object earlier in the search path. When the Facsimile Support component executes with elevated privileges and makes the unqualified call, it inadvertently loads the attacker's malicious code instead of the legitimate library, resulting in code execution with administrator privileges.
Root Cause
The root cause is an unqualified library call within IBM Facsimile Support for i. The vulnerable code references a library object without specifying its absolute path, allowing the system's library list search mechanism to potentially resolve to a user-controlled malicious library. This is a classic example of CWE-427 where the application fails to properly qualify resource paths, creating an opportunity for privilege escalation through library injection.
Attack Vector
The attack can be executed remotely over the network by an authenticated user with low privileges. The attacker must have the ability to create or modify library objects in directories that appear earlier in the library search path than the legitimate target library. When the Facsimile Support component runs its privileged operations and makes the unqualified library call, the attacker's malicious code executes with administrator privileges instead of the intended legitimate code.
The exploitation does not require user interaction and affects the confidentiality, integrity, and availability of the vulnerable system. Given that IBM i systems are commonly deployed in enterprise environments for critical business operations, successful exploitation could lead to significant business impact.
Detection Methods for CVE-2025-36004
Indicators of Compromise
- Unexpected or unauthorized library objects appearing in system or user library lists
- Anomalous library list modifications, particularly additions to positions early in the search order
- Unusual process execution patterns from IBM Facsimile Support for i with unexpected library loads
- Evidence of privilege escalation attempts or unauthorized administrator-level actions
Detection Strategies
- Monitor library list changes on IBM i systems, particularly modifications that add new entries to privileged search paths
- Audit the creation and modification of library objects in directories accessible to low-privileged users
- Implement file integrity monitoring for critical system libraries used by Facsimile Support for i
- Review system logs for unexpected privilege changes or administrator actions from non-admin users
Monitoring Recommendations
- Enable comprehensive auditing of library object access and modifications on IBM i systems
- Configure alerts for library list modifications, especially those affecting system-wide search paths
- Monitor for unusual Facsimile Support for i activity patterns that may indicate exploitation attempts
- Implement regular integrity checks comparing current library objects against known-good baselines
How to Mitigate CVE-2025-36004
Immediate Actions Required
- Apply the security patch from IBM as documented in the official security advisory
- Review and restrict permissions on library lists to prevent unauthorized modifications
- Audit existing library objects for any suspicious or unauthorized additions
- Implement least-privilege principles for users who interact with Facsimile Support for i
Patch Information
IBM has released a security patch to address this vulnerability. Organizations should apply the fix as soon as possible to protect against potential exploitation. Detailed patch information and installation instructions are available in the IBM Support Advisory.
Workarounds
- Restrict access to the IBM Facsimile Support for i functionality to only essential users until patches can be applied
- Implement strict controls on library list modifications, preventing low-privileged users from adding entries
- Review and harden library list configurations to ensure critical system libraries are always resolved from trusted paths
- Consider temporarily disabling Facsimile Support for i if it is not business-critical while awaiting patch deployment
# Configuration example - Review library list to identify potential attack vectors
# On IBM i, use the following command to display current library list:
DSPLIBL
# Check for unauthorized library objects in user libraries:
DSPOBJD OBJ(*USRLIBL/*ALL) OBJTYPE(*ALL)
# Review and restrict library list modifications through system security settings
WRKSYSVAL SYSVAL(QSYSLIBL)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
