How to fix CVE-2025-36247?

Within 24 hours: Inventory all Db2 instances and document versions; disable XML external entity processing if possible and assess which systems process untrusted XML input. Within 7 days: Implement network segmentation to restrict Db2 access, apply WAF rules to filter malicious XML payloads, and establish monitoring for XXE exploitation attempts. Within 30 days: Upgrade Db2 to version 12.1.4 or later when patches become available; if upgrades cannot be completed, maintain compensating controls indefinitely and implement quarterly security reviews.

Is Windows affected by CVE-2025-36247?

IBM Db2 databases running version 12.1.3 and earlier are vulnerable to XML External Entity (XXE) attacks that could allow attackers to access sensitive data, cause denial of service, or execute unauthorized operations.

CVE-2025-36247

HIGH

2026-02-17 [email protected]

7.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Feb 17, 2026 - 18:20 nvd

HIGH 7.1

Description

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

Analysis

Db2 versions up to 12.1.3 is affected by improper restriction of xml external entity reference (CVSS 7.1).

Technical Context

This vulnerability (CWE-611: Improper Restriction of XML External Entity Reference) affects Db2. IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

Affected Products

Vendor: Ibm. Product: Db2. Versions: up to 12.1.3.

Remediation

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.2

CVSS: +36

POC: 0

CVE-2025-36247 vulnerability details – vuln.today

Back

CVE-2025-36247

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-36247

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code