CVE-2025-36367 is a vulnerability classified under CWE-862 (Missing Authorization) that affects IBM i operating system versions 7.2 through 7.6. The flaw arises from an invalid authorization check within IBM i SQL services, which fails to properly verify user privileges before allowing certain operations. This security gap enables a malicious actor who already has some level of access (with limited privileges) to leverage the elevated privileges of another user profile, ultimately gaining root-level access to the host operating system. Root access on IBM i systems equates to full administrative control, allowing attackers to manipulate system configurations, access sensitive data, install persistent malware, or disrupt services. The vulnerability does not require user interaction and can be exploited remotely (CVSS vector AV:N), with low attack complexity (AC:L) and privileges required (PR:L). The scope is unchanged (S:U), meaning the exploit affects only the vulnerable component but with high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). No public exploits have been reported yet, but the vulnerability's nature and severity make it a critical concern for organizations relying on IBM i platforms. IBM has not yet released patches, so mitigation currently relies on compensating controls and monitoring.

The impact of CVE-2025-36367 is severe for organizations using IBM i systems, which are often deployed in critical business environments such as finance, manufacturing, and government. Successful exploitation grants attackers root access, enabling full control over the host OS. This can lead to unauthorized data access or exfiltration, system manipulation, installation of persistent backdoors, disruption of business operations, and potential compliance violations. The vulnerability compromises confidentiality, integrity, and availability simultaneously. Given IBM i's role in enterprise resource planning and transaction processing, exploitation could result in significant financial loss, reputational damage, and operational downtime. The lack of required user interaction and low complexity of exploitation increase the risk of automated or targeted attacks. Organizations without timely mitigation may face escalated threats from insider attackers or external adversaries who have initial footholds.

Until IBM releases official patches, organizations should implement strict access controls to limit the number of users with privileges that could be leveraged for escalation. Conduct thorough audits of user profiles and permissions to detect and remove excessive privileges. Employ network segmentation to isolate IBM i systems from less trusted networks and restrict remote access to trusted administrators only. Monitor system logs and SQL service activities for unusual privilege escalations or suspicious behavior. Use intrusion detection and prevention systems tailored for IBM i environments to detect exploitation attempts. Prepare for rapid deployment of patches once available by establishing robust change management processes. Additionally, consider deploying application whitelisting and endpoint protection solutions that can detect anomalous root-level activities. Regularly back up critical data and system configurations to enable recovery in case of compromise.