CVE-2025-36425 Overview
CVE-2025-36425 affects IBM Db2 for Linux, UNIX and Windows, including Db2 Connect Server. The vulnerability impacts versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3. An authenticated user can obtain sensitive information when the database is deployed in a specific High Availability Disaster Recovery (HADR) configuration.
The issue is classified under [CWE-256] Plaintext Storage of a Password. Exploitation requires network access and valid low-privilege credentials, but no user interaction. The flaw exposes confidentiality of stored data without affecting integrity or availability.
Critical Impact
Authenticated attackers can extract sensitive information from IBM Db2 instances configured with HADR, potentially exposing credentials or replication data.
Affected Products
- IBM Db2 for Linux, UNIX and Windows versions 11.5.0 through 11.5.9
- IBM Db2 for Linux, UNIX and Windows versions 12.1.0 through 12.1.3
- IBM Db2 Connect Server (same affected ranges)
Discovery Timeline
- 2026-02-17 - CVE-2025-36425 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2025-36425
Vulnerability Analysis
The vulnerability resides in how IBM Db2 handles sensitive data within HADR deployments. HADR replicates database changes between primary and standby servers to support continuous availability. Under specific HADR configurations, authenticated users can access sensitive information that should remain protected.
The weakness maps to [CWE-256], which covers improper storage of credentials or secrets in a recoverable form. An authenticated database user with low privileges can query or access components that expose this data over the network.
The vulnerability does not permit modification of database contents or service disruption. Impact is limited to disclosure of confidential information held by the affected Db2 instance.
Root Cause
The root cause is improper protection of sensitive data within HADR configuration artifacts. When HADR is configured in the specific vulnerable mode, sensitive values remain accessible to authenticated low-privilege users rather than being restricted to administrative roles or stored in protected form.
Attack Vector
An attacker requires valid Db2 credentials and network connectivity to the database instance. After authentication, the attacker queries or accesses HADR-related configuration or runtime data. The Db2 instance returns sensitive information that should be restricted, completing the disclosure. No social engineering or user interaction is needed.
No public proof-of-concept or exploit code is available for this issue. Refer to the IBM Support Page for vendor technical guidance.
Detection Methods for CVE-2025-36425
Indicators of Compromise
- Unexpected queries from low-privilege accounts targeting HADR configuration parameters or system catalogs containing replication metadata.
- Repeated db2 get db cfg or equivalent administrative reads from non-administrative service accounts.
- Anomalous authentication patterns followed by reads of sensitive configuration tables on the primary or standby HADR node.
Detection Strategies
- Audit Db2 access logs for low-privilege users invoking configuration retrieval commands on HADR-enabled instances.
- Enable Db2 audit facility (db2audit) for the CONTEXT, SECMAINT, and OBJMAINT categories on databases with HADR.
- Correlate authentication events with subsequent configuration or replication queries to identify reconnaissance patterns.
Monitoring Recommendations
- Forward Db2 diagnostic logs (db2diag.log) and audit output to a centralized SIEM for retention and correlation.
- Establish a baseline of expected HADR administrative activity, then alert on deviations such as off-hours access.
- Monitor outbound connections from Db2 service accounts that may indicate exfiltration of disclosed data.
How to Mitigate CVE-2025-36425
Immediate Actions Required
- Inventory all IBM Db2 instances in versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3, especially those with HADR enabled.
- Apply the IBM-provided fix referenced in the vendor advisory as soon as feasible after validation in a test environment.
- Review and restrict Db2 user privileges, removing unnecessary accounts and enforcing least privilege on HADR-enabled databases.
- Rotate any credentials or secrets that may have been exposed through the affected HADR configuration.
Patch Information
IBM has published remediation guidance on the IBM Support Page. Administrators should consult the advisory for the exact fix pack levels and apply the corresponding update for their installed Db2 release.
Workarounds
- Restrict network access to Db2 listener ports so only trusted application hosts and HADR peers can connect.
- Limit CONNECT and SELECT privileges on HADR-enabled databases to accounts that strictly require them.
- Until patched, review HADR configuration parameters and remove any sensitive values that can be externalized to a protected secrets store.
# Configuration example: restrict Db2 connections to authorized hosts (iptables)
iptables -A INPUT -p tcp --dport 50000 -s <trusted_app_subnet> -j ACCEPT
iptables -A INPUT -p tcp --dport 50000 -s <hadr_peer_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport 50000 -j DROP
# Enable Db2 audit for configuration access on HADR databases
db2audit configure scope context status both
db2audit configure scope secmaint status both
db2audit start
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
