CVE-2025-36367: IBM i Privilege Escalation Vulnerability

CVE-2025-36367 Overview

CVE-2025-36367 is a privilege escalation vulnerability affecting IBM i versions 7.2, 7.3, 7.4, 7.5, and 7.6. The flaw stems from an invalid authorization check in IBM i SQL services. An authenticated attacker can leverage the elevated privileges of another user profile to obtain root-level access to the host operating system. The weakness maps to [CWE-862] Missing Authorization. IBM published an advisory on its support portal addressing the issue across all supported releases.

Critical Impact
An authenticated low-privilege user can escalate to root on the host operating system through IBM i SQL services, compromising confidentiality, integrity, and availability of the affected system.

Affected Products

IBM i 7.2, 7.3, and 7.4
IBM i 7.5
IBM i 7.6

Discovery Timeline

2025-11-01 - CVE-2025-36367 published to NVD
2025-11-05 - Last updated in NVD database

Technical Details for CVE-2025-36367

Vulnerability Analysis

The vulnerability resides in IBM i SQL services, the set of database-driven interfaces that expose system information and administrative functions through SQL queries. SQL services execute under specific authorization contexts that determine what operations a calling user profile is permitted to perform. CVE-2025-36367 reflects an invalid authorization check in this code path. The service fails to properly verify whether the calling user profile is entitled to operate with the privileges of another user profile. Successful exploitation grants root access to the host operating system, bypassing the boundaries IBM i normally enforces between user profiles and privileged system functions.

Root Cause

The root cause is a Missing Authorization weakness [CWE-862] in IBM i SQL services. The affected SQL service does not adequately validate that the requesting user profile possesses the rights associated with the target user profile whose privileges are ultimately used. This authorization gap permits a malicious actor to invoke functionality under an elevated profile context. Because IBM i SQL services can interact directly with the underlying operating system, the missing check translates into a full privilege boundary failure rather than a contained application-level issue.

Attack Vector

The attack is network-reachable and requires authenticated access at low privilege. The attacker connects to IBM i over the standard database service ports and issues SQL service calls that trigger the vulnerable authorization path. By selecting a target user profile with elevated authority, the attacker causes the SQL service to execute on its behalf and gains root access to the host operating system. No user interaction is required. IBM has not reported public exploitation, and no proof-of-concept code has been published as of this writing. Refer to the IBM Support Page Advisory for vendor-confirmed technical details.

Detection Methods for CVE-2025-36367

Indicators of Compromise

Unexpected SQL service invocations that reference user profiles the calling profile would not normally adopt.
New jobs or processes running under high-authority profiles such as QSECOFR initiated from database connections.
Creation or modification of user profiles, authorities, or system values shortly after anomalous SQL service activity.
Outbound connections or file transfers originating from IBM i jobs spawned by database sessions.

Detection Strategies

Audit IBM i journal entries (QAUDJRN) for AF (authority failure) and CO/CP (user profile create/change) events correlated with SQL service usage.
Monitor host server logs for SQL CALL statements referencing IBM i services such as QSYS2 system functions invoked by non-administrative users.
Compare actual effective user profile at job completion against the originating connection profile to identify unauthorized profile adoption.

Monitoring Recommendations

Forward IBM i audit journals to a centralized SIEM or data lake for correlation with network and identity telemetry.
Alert on privilege escalation patterns where database-tier authentication is followed by *ALLOBJ or *SECADM level activity.
Baseline normal SQL service usage per user profile and flag deviations in volume or service type.

How to Mitigate CVE-2025-36367

Immediate Actions Required

Apply the IBM-supplied PTFs for IBM i 7.2, 7.3, 7.4, 7.5, and 7.6 as documented in the vendor advisory.
Inventory all IBM i systems and confirm the running release and cumulative PTF level.
Restrict network access to IBM i database services (*DATABASE, ports 446/448/8471) to known administrative hosts.
Review user profiles holding *ALLOBJ, *SECADM, or other special authorities and remove unnecessary privileges.

Patch Information

IBM has released fixes for all affected releases. Customers should consult the IBM Support Page Advisory for the specific Program Temporary Fix (PTF) identifiers corresponding to IBM i 7.2 through 7.6 and apply them through standard PTF management procedures.

Workarounds

Where patching cannot be performed immediately, restrict authority to IBM i SQL services and limit which user profiles can invoke them via object-level authority changes.
Enable and review the IBM i security audit journal (QAUDJRN) with *AUTFAIL and *SECURITY audit values to surface exploitation attempts.
Place affected IBM i hosts behind network segmentation that blocks database service ports from untrusted networks until PTFs are applied.

bash

# Example: restrict authority on a sensitive SQL service and enable security auditing
CHGAUT OBJ('/QSYS.LIB/QSYS2.LIB/<SERVICE>.PGM') USER(*PUBLIC) DTAAUT(*EXCLUDE)
CHGSYSVAL SYSVAL(QAUDCTL) VALUE('*AUDLVL *OBJAUD')
CHGSYSVAL SYSVAL(QAUDLVL) VALUE('*AUTFAIL *SECURITY *PGMFAIL')