CVE-2025-36247
Received Received - Intake
XML External Entity Injection in IBM Db2 Risks Data Exposure

Publication date: 2026-02-17

Last updated on: 2026-02-18

Assigner: IBM Corporation

Description
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-17
Last Modified
2026-02-18
Generated
2026-05-27
AI Q&A
2026-02-17
EPSS Evaluated
2026-05-25
NVD
CVE-2025-36247
EUVD
EUVD-2025-207703
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
ibm db2 From 11.5.0 (inc) to 11.5.9 (inc)
ibm db2 From 11.5.0 (inc) to 11.5.9 (inc)
ibm db2 From 11.5.0 (inc) to 11.5.9 (inc)
ibm db2 From 12.1.0 (inc) to 12.1.3 (inc)
ibm db2 From 12.1.0 (inc) to 12.1.3 (inc)
ibm db2 From 12.1.0 (inc) to 12.1.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is an XML External Entity (XXE) injection issue in IBM Db2 for Linux, UNIX, and Windows (including Db2 Connect Server) versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3. It occurs when the software processes XML data, allowing a remote attacker to exploit the system.

The attacker can use this vulnerability to expose sensitive information or consume memory resources on the affected system.

The vulnerability is classified under CWE-611: Improper Restriction of XML External Entity Reference.


How can this vulnerability impact me? :

Exploitation of this vulnerability can lead to exposure of sensitive information stored or processed by IBM Db2, which can compromise confidentiality.

Additionally, it can cause consumption of memory resources, potentially leading to degraded system performance or availability issues.

The CVSS v3.1 score indicates a high impact on confidentiality, no impact on integrity, and a low impact on availability.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

IBM has not disclosed detailed replication steps or specific commands to detect this vulnerability in order to prevent aiding potential attackers.

No explicit detection commands or network/system scanning methods are provided in the available information.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation involves applying the special interim fix builds provided by IBM for the affected versions.

  • For version 11.5.9, apply Special Build #66394 or later.
  • For version 12.1.2, apply Special Build #72296 or later.
  • For version 12.1.3, apply Special Build #74153 or later.

These fixes can be applied to any affected level within the respective releases.

No workarounds or alternative mitigations are currently provided, so updating to the fixed versions is the recommended action.

Customers are also advised to subscribe to IBM notifications for future updates.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart