CVE-2025-36371 is an information disclosure vulnerability classified under CWE-598, which relates to the use of GET request methods with sensitive query strings, leading to unintended exposure of sensitive data. The vulnerability specifically affects IBM i operating system versions 7.2 through 7.6, targeting the database plan cache implementation. The database plan cache stores execution plans for database queries to optimize performance. However, due to improper access controls or design flaws, users with access to the plan cache can retrieve sensitive information embedded within cached plans that they are not authorized to view. This could include query parameters, database schema details, or other confidential data. The CVSS 3.1 base score is 6.5 (medium severity), with an attack vector of network (AV:N), low attack complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:N). The scope is unchanged (S:U), and the impact is high on confidentiality (C:H), with no impact on integrity (I:N) or availability (A:N). No public exploits have been reported yet, and no patches are currently linked, indicating that organizations should monitor IBM's advisories closely. The vulnerability could be exploited by an authenticated user with limited privileges to gain unauthorized visibility into sensitive data, potentially aiding further attacks or data leakage.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive information stored or processed within IBM i database environments. Sectors such as finance, manufacturing, public administration, and utilities that rely heavily on IBM i systems for critical operations could face confidentiality breaches, leading to regulatory compliance issues under GDPR and other data protection laws. Exposure of sensitive query data or database metadata could facilitate further targeted attacks, insider threats, or data exfiltration. Although the vulnerability does not directly impact system integrity or availability, the confidentiality breach alone can result in significant reputational damage, financial penalties, and loss of customer trust. The requirement for low privileges means that insider threats or compromised low-level accounts could exploit this vulnerability, increasing the risk profile. Since IBM i systems are often used in legacy and critical infrastructure environments, the impact of data leakage can be substantial.

Organizations should implement strict access controls to limit who can access the database plan cache, ensuring only fully authorized administrators have such privileges. Monitoring and auditing access to the plan cache should be enhanced to detect unusual or unauthorized queries. Network segmentation and firewall rules should restrict access to IBM i systems to trusted hosts and users. IBM i administrators should stay alert for official patches or updates from IBM and apply them promptly once available. In the interim, consider disabling or restricting features that expose the plan cache if feasible without disrupting business operations. Employing encryption for sensitive data at rest and in transit can reduce the impact of any data exposure. Additionally, conduct regular security assessments and penetration tests focusing on IBM i environments to identify and remediate similar weaknesses proactively.