CVE-2025-36117: IBM Db2 Mirror for i Session ID Reuse Vulnerability

IBM Db2 Mirror for i is susceptible to a session management vulnerability. This flaw allows an authenticated user to potentially impersonate another user on the system by reusing a session ID. This post provides a detailed analysis of the vulnerability, its impact, and recommended mitigation steps.

Vulnerability Details

• CVE ID: CVE-2025-36117
• Description: IBM Db2 Mirror for i versions 7.4, 7.5, and 7.6 do not properly invalidate session IDs after use. This lack of proper session management could allow an attacker with valid credentials to impersonate another user.
• CVSS Score: 6.3 (Medium)
• CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
• CVSS Explanation: This vulnerability has a medium severity because it can be exploited over the network with low complexity by an attacker with low privileges, without requiring user interaction. The impact is limited to low confidentiality, integrity, and availability.
• Exploit Requirements: An attacker needs valid credentials for a Db2 Mirror for i account to exploit this vulnerability.

Affected Products

• IBM Db2 Mirror for i versions 7.4
• IBM Db2 Mirror for i versions 7.5
• IBM Db2 Mirror for i versions 7.6

CWE

• CWE ID: CWE-384
• CWE Name: Session Fixation
• CWE Explanation: Session Fixation occurs when an application allows an attacker to hijack a user's session by persuading the user to use a specific session ID controlled by the attacker. In this case, it seems the session ID can be reused, though the exact mechanism isn't fully explained.

Timeline of Events

• 2025-07-23: CVE ID assigned and vulnerability disclosed.

Exploitability & Real-World Risk

The vulnerability can be exploited if an attacker obtains valid credentials to the Db2 Mirror for i system. By reusing a session ID (the exact method is not described, but it could involve intercepting network traffic or exploiting other vulnerabilities to obtain valid session IDs), the attacker can impersonate another user. The real-world risk depends on the privileges of the user being impersonated. If the impersonated user has administrative privileges, the attacker could gain full control of the system.

Recommendations

Apply the fix provided by IBM. Refer to the IBM Security Bulletin for specific patch information and installation instructions.

• Apply the appropriate fix from IBM Support: https://www.ibm.com/support/pages/node/7240351
• Implement strong password policies to minimize the risk of credential compromise.
• Monitor user activity for suspicious behavior.

Technical Insight

The root cause of the vulnerability is likely due to a flaw in the session management implementation within Db2 Mirror for i. The system does not properly invalidate session IDs or implement sufficient safeguards to prevent session reuse. The IBM fix should address this issue by implementing proper session invalidation and security checks.

Credit to Researcher(s)

IBM Security Team.

References

• IBM Security Bulletin
• CVE-2025-36117

Tags

#CVE-2025-36117 #IBM #Db2Mirror #SecurityVulnerability #SessionManagement #Impersonation #iSeries #AS400

Summary: IBM Db2 Mirror for i is vulnerable to session ID reuse, allowing authenticated users to potentially impersonate others. Apply the IBM fix and implement strong password policies to mitigate the risk.

CVE ID: CVE-2025-36117

Risk Analysis: Successful exploitation could allow an attacker to gain unauthorized access to sensitive data and resources, potentially leading to data breaches and system compromise.

Recommendation: Apply the fix provided by IBM. Implement strong password policies and monitor user activity.

Timeline

• 2025-07-23: CVE ID assigned and vulnerability disclosed.

References

• https://www.ibm.com/support/pages/node/7240351
• https://www.cve.org/CVERecord?id=CVE-2025-36117