CVE-2025-36372: IBM Db2 Information Disclosure Vulnerability (CVSS 5.5 MEDIUM)
Per the NVD entry published June 30, CVE-2025-36372 affects IBM Db2 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 for Linux, UNIX and Windows, including Db2 Connect Server.
At a glance
- CVE-2025-36372 affects IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.4 for Linux, UNIX and Windows, including Db2 Connect Server.
- An authenticated user could obtain sensitive information from the monitoring and event tables; severity is CVSS 5.5 MEDIUM.
VERDICT — CONFIRMED
A National Vulnerability Database entry published June 30 details CVE-2025-36372, an information disclosure vulnerability in IBM Db2 rated CVSS 5.5 MEDIUM, per the NVD listing.
The flaw affects IBM Db2 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 for Linux, UNIX and Windows, including Db2 Connect Server, per the entry. It could disclose sensitive information to an authenticated user from the database's monitoring and event tables.
The authenticated-access requirement and the MEDIUM severity band frame this as a moderate exposure rather than a remotely exploitable one, per the CVSS characterization in the entry. Fix availability, affected fix-pack levels and IBM's remediation guidance were not included in the available summary; those details sit with IBM's security bulletin referenced from the NVD record.
Background
Db2 is IBM's flagship relational database, in continuous development since the early 1980s and still widely deployed in banking, insurance and government back ends — environments where the data behind an information-disclosure flaw is often precisely the kind regulators care about. The affected editions, Db2 for Linux, UNIX and Windows and the Db2 Connect gateway that links applications to mainframe databases, represent the distributed side of the product family that enterprises run on commodity servers.
The National Vulnerability Database, operated by the US National Institute of Standards and Technology, is the government's repository of published CVEs, enriching each entry with CVSS severity scoring. A 5.5 MEDIUM reflects the mitigating factors here: the attacker must already hold authenticated access, and the impact is confined to confidentiality — reading data from monitoring and event tables — rather than modification or takeover. Monitoring tables can nonetheless hold material of real value to an insider, such as SQL statement text and connection metadata, which is why database vendors patch this class of flaw routinely.
What comes next
The next stop for administrators running the affected versions is IBM's security bulletin referenced from the NVD record, which carries the fix-pack levels and remediation guidance the NVD summary omits. Standard practice is to fold the fix into the next patch cycle given the MEDIUM rating, while shops with strict insider-threat models may prioritize it, since the flaw is exercisable by any authenticated user.
Key facts on file
- CVE-2025-36372 affects IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.4 for Linux, UNIX and Windows, including Db2 Connect Server.
- An authenticated user could obtain sensitive information from the monitoring and event tables; severity is CVSS 5.5 MEDIUM.