CVE-2025-36128 Overview
CVE-2025-36128 is a denial of service vulnerability affecting IBM MQ message queueing software across multiple versions. The vulnerability stems from improper enforcement of timeout on individual read operations, allowing remote attackers to conduct slowloris-type attacks that can render the messaging service unavailable.
Slowloris attacks work by opening multiple connections to the target server and sending partial HTTP requests, keeping these connections open as long as possible. In the context of IBM MQ, this vulnerability allows attackers to exploit the improper timeout handling on read operations to exhaust server resources and deny service to legitimate users.
Critical Impact
Remote attackers can exploit this vulnerability without authentication to cause a denial of service condition, disrupting critical enterprise messaging infrastructure and potentially affecting business-critical applications that depend on IBM MQ.
Affected Products
- IBM MQ 9.1 LTS
- IBM MQ 9.2 LTS
- IBM MQ 9.3 LTS and CD (Continuous Delivery)
- IBM MQ 9.4 LTS and CD (Continuous Delivery)
- Supported Operating Systems: IBM AIX, IBM i, Linux, Microsoft Windows, Oracle Solaris
Discovery Timeline
- 2025-10-16 - CVE-2025-36128 published to NVD
- 2025-10-28 - Last updated in NVD database
Technical Details for CVE-2025-36128
Vulnerability Analysis
This vulnerability is classified under CWE-772 (Missing Release of Resource after Effective Lifetime). The core issue lies in IBM MQ's failure to properly enforce timeouts on individual read operations, which allows connections to remain open indefinitely when partial data is sent.
In a typical message queueing environment, IBM MQ handles numerous concurrent connections from client applications. When read operations do not have properly enforced timeouts, an attacker can establish multiple connections and deliberately send data at an extremely slow rate or send incomplete requests. This behavior prevents the server from releasing the connection resources, eventually exhausting the available connection pool.
The impact is particularly severe in enterprise environments where IBM MQ serves as the backbone for application integration, handling critical business transactions and inter-system communications.
Root Cause
The root cause of CVE-2025-36128 is the missing release of resources after their effective lifetime. Specifically, IBM MQ does not adequately enforce timeout limits on individual read operations within connection handlers. This allows an attacker to hold connections open by trickling data at rates slower than the timeout threshold, or by initiating connections and never completing the expected read operations.
Attack Vector
The attack vector is network-based and can be exploited remotely without any authentication or user interaction. An attacker can launch a slowloris-type attack by:
- Opening multiple TCP connections to the IBM MQ listener port
- Sending partial or incomplete data payloads at an extremely slow rate
- Keeping connections alive without completing the read operations
- Repeating this process until server resources are exhausted
This attack prevents legitimate clients from establishing new connections to the IBM MQ queue manager, effectively causing a denial of service.
Detection Methods for CVE-2025-36128
Indicators of Compromise
- Unusual number of half-open or slow connections to IBM MQ listener ports (typically 1414)
- Sudden increase in connection count without corresponding message throughput increase
- Resource exhaustion warnings in IBM MQ error logs
- Client applications reporting connection timeouts or failures to connect to queue managers
Detection Strategies
- Monitor IBM MQ connection statistics for anomalous connection patterns and unusually long connection durations
- Configure network intrusion detection systems (IDS) to detect slowloris attack patterns targeting IBM MQ ports
- Set up alerts for sudden spikes in concurrent connections to queue managers
- Implement connection rate limiting and anomaly detection at the network perimeter
Monitoring Recommendations
- Enable detailed logging for IBM MQ connection events and review logs for suspicious patterns
- Configure SNMP or monitoring agents to track queue manager resource utilization and connection counts
- Establish baseline metrics for normal connection behavior to identify deviations
- Use application performance monitoring (APM) tools to track IBM MQ response times and availability
How to Mitigate CVE-2025-36128
Immediate Actions Required
- Apply the latest security patches from IBM for affected MQ versions immediately
- Review and restrict network access to IBM MQ listener ports using firewall rules
- Implement connection rate limiting at the network or application level
- Monitor queue manager health and connection metrics closely for signs of attack
Patch Information
IBM has released security updates to address this vulnerability. Detailed patch information and download links are available in the IBM Support Page. Organizations should prioritize applying these patches to all affected IBM MQ installations across supported platforms including AIX, IBM i, Linux, Windows, and Solaris.
Workarounds
- Configure aggressive connection timeouts at the network load balancer or reverse proxy level
- Implement IP-based rate limiting to prevent a single source from opening excessive connections
- Use network security appliances to detect and block slowloris-type attack patterns
- Consider deploying IBM MQ behind a firewall that supports application-layer inspection and can identify malformed or incomplete connection attempts
# Example: Configure iptables rate limiting for IBM MQ listener port
iptables -A INPUT -p tcp --dport 1414 -m connlimit --connlimit-above 50 -j REJECT
iptables -A INPUT -p tcp --dport 1414 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
