What is the CVSS score of CVE-2025-36247?

CVE-2025-36247 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L. EPSS exploitation probability: 0.2%.

Which versions of Windows are affected by CVE-2025-36247?

IBM Db2 databases running version 12.1.3 and earlier are vulnerable to XML External Entity (XXE) attacks that could allow attackers to access sensitive data, cause denial of service, or execute…

How to fix or mitigate CVE-2025-36247?

Within 24 hours: Inventory all Db2 instances and document versions; disable XML external entity processing if possible and assess which systems process untrusted XML input. Within 7 days: Implement network segmentation to restrict Db2 access, apply WAF rules to filter malicious XML payloads, and establish monitoring for XXE exploitation attempts. Within 30 days: Upgrade Db2 to version 12.1.4 or later when patches become available; if upgrades cannot be completed, maintain compensating controls indefinitely and implement quarterly security reviews.

Windows CVE-2025-36247

HIGH

Improper Restriction of XML External Entity Reference (CWE-611)

2026-02-17 psirt@us.ibm.com

Windows Linux IBM XXE Db2

7.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Feb 17, 2026 - 18:20 nvd

HIGH 7.1

DescriptionNVD

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

AnalysisAI

Db2 versions up to 12.1.3 is affected by improper restriction of xml external entity reference (CVSS 7.1).

Technical ContextAI

This vulnerability (CWE-611: Improper Restriction of XML External Entity Reference) affects Db2. IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

More from same product – last 7 days

CVE-2026-7524 CRITICAL Act Now

9.8 May 27

Remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.1 lets unauthenticated network attackers run arbitr

CVE-2026-8175 CRITICAL Act Now

9.8 May 27

Remote code execution and authentication bypass are possible in IBM Aspera High-Speed Transfer Server and High-Speed Tra

CVE-2026-7876 CRITICAL Act Now

9.1 May 27

Authentication bypass in IBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I) versions 1.5.1 throu

CVE-2026-5065 HIGH This Week

8.8 May 27

Hard-coded credentials in IBM Controller (versions 11.0.1, 11.1.0, 11.1.1, and 11.1.2) give attackers a static, embedded

CVE-2026-8179 HIGH This Week

8.8 May 27

Arbitrary code execution in IBM Aspera High-Speed Transfer Server and Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1)

CVE-2025-36247 vulnerability details – vuln.today

Back