CVE-2025-36247
Received Received - Intake
XML External Entity Injection in IBM Db2 Risks Data Exposure

Publication date: 2026-02-17

Last updated on: 2026-02-18

Assigner: IBM Corporation

Description
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-17
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-02-17
EPSS Evaluated
2026-06-14
NVD
CVE-2025-36247
EUVD
EUVD-2025-207703
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
ibm db2 From 11.5.0 (inc) to 11.5.9 (inc)
ibm db2 From 11.5.0 (inc) to 11.5.9 (inc)
ibm db2 From 11.5.0 (inc) to 11.5.9 (inc)
ibm db2 From 12.1.0 (inc) to 12.1.3 (inc)
ibm db2 From 12.1.0 (inc) to 12.1.3 (inc)
ibm db2 From 12.1.0 (inc) to 12.1.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an XML External Entity (XXE) injection issue in IBM Db2 for Linux, UNIX, and Windows (including Db2 Connect Server) versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3. It occurs when the software processes XML data, allowing a remote attacker to exploit the system.

The attacker can use this vulnerability to expose sensitive information or consume memory resources on the affected system.

The vulnerability is classified under CWE-611: Improper Restriction of XML External Entity Reference.

Impact Analysis

Exploitation of this vulnerability can lead to exposure of sensitive information stored or processed by IBM Db2, which can compromise confidentiality.

Additionally, it can cause consumption of memory resources, potentially leading to degraded system performance or availability issues.

The CVSS v3.1 score indicates a high impact on confidentiality, no impact on integrity, and a low impact on availability.

Compliance Impact

I don't know

Detection Guidance

IBM has not disclosed detailed replication steps or specific commands to detect this vulnerability in order to prevent aiding potential attackers.

No explicit detection commands or network/system scanning methods are provided in the available information.

Mitigation Strategies

Immediate mitigation involves applying the special interim fix builds provided by IBM for the affected versions.

  • For version 11.5.9, apply Special Build #66394 or later.
  • For version 12.1.2, apply Special Build #72296 or later.
  • For version 12.1.3, apply Special Build #74153 or later.

These fixes can be applied to any affected level within the respective releases.

No workarounds or alternative mitigations are currently provided, so updating to the fixed versions is the recommended action.

Customers are also advised to subscribe to IBM notifications for future updates.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-36247. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart