CVE-2025-36116 is a medium severity vulnerability affecting IBM Db2 Mirror for i versions 7.4, 7.5, and 7.6. The vulnerability stems from missing origin validation in the WebSocket implementation of the Db2 Mirror for i GUI. Specifically, this is a cross-site WebSocket hijacking issue categorized under CWE-1385. An unauthenticated attacker can send a specially crafted request to intercept or sniff an existing WebSocket connection between a legitimate user and the Db2 Mirror GUI. By hijacking this connection, the attacker can remotely perform unauthorized operations that the legitimate user is permitted to do, effectively escalating privileges without authentication. The vulnerability does not require user interaction but does require the attacker to be able to send crafted requests to the target system over the network. The CVSS 3.1 base score is 6.3, indicating a medium severity, with attack vector network (AV:N), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and low impact on confidentiality, integrity, and availability (C:L/I:L/A:L). No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability highlights a security design flaw in the WebSocket origin validation mechanism, which is critical for preventing cross-origin attacks in web applications that use WebSockets for real-time communication.

For European organizations using IBM Db2 Mirror for i, this vulnerability could lead to unauthorized access and manipulation of database mirror operations via the GUI. Since Db2 Mirror for i is used for high availability and disaster recovery in enterprise environments, exploitation could disrupt data replication processes, potentially causing data inconsistency or downtime. Confidentiality risks include exposure of sensitive data transmitted over WebSocket connections. Integrity risks involve unauthorized commands altering database mirror states or configurations. Availability could be impacted if attackers disrupt mirroring, leading to service interruptions. Given the medium severity and the requirement for network access and low privileges, attackers inside the network or with access to the GUI interface could exploit this. European organizations with critical infrastructure or financial data relying on Db2 Mirror for i could face operational risks and compliance issues under GDPR if data confidentiality is compromised.

Organizations should immediately review network segmentation and access controls to restrict access to the Db2 Mirror for i GUI to trusted users and networks only. Implement strict firewall rules to limit WebSocket traffic to authorized sources. Monitor WebSocket connections for unusual activity or unauthorized access attempts. Since no patch is currently linked, organizations should engage with IBM support to obtain any available security updates or workarounds. Consider deploying Web Application Firewalls (WAFs) with WebSocket inspection capabilities to detect and block suspicious WebSocket hijacking attempts. Additionally, enforce multi-factor authentication and strong session management on the GUI to reduce the risk of session hijacking. Regularly audit and log all operations performed via the Db2 Mirror GUI to detect anomalies. Finally, educate users about the risks of accessing the GUI from untrusted networks or devices.