Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-36119

CVE-2025-36119: IBM i Privilege Escalation Vulnerability

CVE-2025-36119 is a privilege escalation vulnerability in IBM i Digital Certificate Manager (DCM) that allows authenticated users to hijack web sessions and gain administrator privileges. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-36119 Overview

CVE-2025-36119 affects IBM i versions 7.3, 7.4, 7.5, and 7.6. The vulnerability exists in IBM Digital Certificate Manager for i (DCM) and allows web session hijacking. An authenticated user without administrator privileges can exploit this flaw to perform actions in DCM as an administrator. The weakness is classified as [CWE-290] Authentication Bypass by Spoofing.

The vulnerability is exploitable over the network with low attack complexity and requires only low-privileged authentication. Successful exploitation compromises the confidentiality, integrity, and availability of certificate management operations on affected IBM i systems.

Critical Impact

An authenticated low-privileged user can hijack an administrator session in IBM Digital Certificate Manager and execute administrative actions, including manipulation of digital certificates that underpin TLS and authentication across the IBM i platform.

Affected Products

  • IBM i 7.3
  • IBM i 7.4
  • IBM i 7.5
  • IBM i 7.6

Discovery Timeline

  • 2025-08-08 - CVE-2025-36119 published to NVD
  • 2025-08-15 - Last updated in NVD database

Technical Details for CVE-2025-36119

Vulnerability Analysis

IBM Digital Certificate Manager for i is the web-based application used to create, manage, and assign digital certificates on the IBM i operating system. The product runs as part of the IBM i HTTP administrative server and handles certificate stores used for TLS, object signing, and application authentication.

The vulnerability allows an authenticated user to impersonate another active DCM session. Because DCM operates with elevated authority when used by an administrator, hijacking that session grants the attacker the same authority within the DCM interface. The flaw maps to [CWE-290], indicating the application accepts session identity without sufficient verification that the request originates from the legitimate session owner.

Root Cause

The root cause is improper validation of session ownership in the DCM web component. Session state binding does not adequately differentiate between authenticated users, allowing one authenticated user to assume the session context of another user, including an administrator.

Attack Vector

Exploitation requires network access to the DCM web interface and valid IBM i credentials with no administrator role. The attacker authenticates to the system, then targets an active DCM administrator session. After hijacking the session, the attacker issues DCM operations such as creating, deleting, exporting, or reassigning certificates, modifying certificate stores, or altering trust relationships used by applications on the host.

No verified public proof-of-concept code is available. See the IBM Support Page for vendor-supplied technical details.

Detection Methods for CVE-2025-36119

Indicators of Compromise

  • Unexpected certificate creation, renewal, deletion, or export events recorded in the IBM i DCM audit log (QAUDJRN) entries.
  • DCM administrative actions originating from user profiles that do not normally hold administrator authority.
  • Concurrent DCM sessions associated with the same administrator account from different source IP addresses.

Detection Strategies

  • Review QAUDJRN journal entries for *SECURITY and *OBJMGT events tied to DCM certificate stores such as *SYSTEM and *OBJECTSIGNING.
  • Correlate IBM HTTP Server access logs with IBM i user profile activity to identify session identifiers reused across different authenticated users.
  • Flag any DCM administrative action that is not preceded by an interactive administrator authentication from the same source.

Monitoring Recommendations

  • Forward IBM i audit journal and HTTP admin server logs to a centralized SIEM for correlation and retention.
  • Alert on changes to system certificate stores, application certificate assignments, and Certificate Authority trust lists.
  • Monitor for low-privileged users accessing the /QIBM/ICSS/Cert/Admin/qycucm1.ndm DCM endpoints outside normal business activity.

How to Mitigate CVE-2025-36119

Immediate Actions Required

  • Apply the IBM-provided PTF for the affected IBM i release as referenced in the IBM Support Page.
  • Restrict network access to the DCM administrative interface to trusted management subnets only.
  • Audit IBM i user profiles and remove unnecessary access to the DCM application and HTTP admin server.

Patch Information

IBM has issued fixes for IBM i 7.3, 7.4, 7.5, and 7.6. Refer to the IBM advisory at IBM Support Page for the specific PTF numbers per release and installation guidance.

Workarounds

  • Stop the DCM-related HTTP admin server instance when not in active use to remove the exposed session surface.
  • Require administrators to terminate DCM sessions and sign off the HTTP admin interface immediately after each administrative task.
  • Limit IBM i sign-on access to the system from untrusted networks using exit programs or firewall rules until patches are applied.
bash
# Stop the IBM i HTTP administrative server instance hosting DCM
ENDTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)

# Restart only after PTFs from IBM advisory 7241008 are applied
STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne