CVE-2025-36387 is a resource exhaustion vulnerability classified under CWE-770, affecting IBM Db2 for Linux, UNIX, and Windows versions 11.5.0 through 11.5.9, including DB2 Connect Server. The flaw arises from the database engine’s failure to impose limits or throttling on resource allocation when processing specially crafted queries submitted by authenticated users. This can lead to excessive consumption of CPU, memory, or other critical resources, resulting in denial of service conditions where legitimate database operations are delayed or halted. The attack vector is network-based, requiring the attacker to have valid credentials but no additional user interaction. The vulnerability does not affect confidentiality or integrity but severely impacts availability, potentially disrupting business-critical applications relying on IBM Db2. Although no public exploits have been observed, the low complexity of exploitation and the widespread use of IBM Db2 in enterprise environments make this a significant concern. The absence of patches at the time of reporting necessitates proactive mitigation strategies. The CVSS 3.1 base score of 6.5 reflects medium severity, with attack vector network (AV:N), low attack complexity (AC:L), privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality or integrity impact (C:N/I:N), and high availability impact (A:H).

For European organizations, this vulnerability poses a risk of service disruption in environments running affected IBM Db2 versions. Denial of service can lead to downtime of critical database services, impacting business operations, customer-facing applications, and internal processes. Industries such as finance, healthcare, telecommunications, and government agencies that rely heavily on IBM Db2 for transaction processing and data management could experience operational delays and potential financial losses. The requirement for authentication limits exploitation to insiders or compromised accounts, but insider threats or credential theft remain realistic attack vectors. The lack of confidentiality or integrity impact reduces risks of data breaches but does not mitigate the operational impact. Additionally, prolonged DoS conditions could affect compliance with service-level agreements (SLAs) and regulatory requirements for availability. The medium severity rating suggests that while urgent, the threat is manageable with proper controls and monitoring.

1. Apply patches or updates from IBM as soon as they become available for Db2 versions 11.5.0 through 11.5.9. 2. Implement strict access controls and monitor authentication logs to detect unauthorized or suspicious access attempts. 3. Enforce query resource limits and throttling mechanisms within Db2 configurations to prevent excessive resource consumption from individual queries. 4. Use database activity monitoring tools to identify anomalous query patterns indicative of resource exhaustion attempts. 5. Segment database servers within secure network zones and restrict access to trusted users and applications only. 6. Regularly review and audit user privileges to minimize the number of accounts with database access. 7. Prepare incident response plans that include procedures for mitigating denial of service events on database infrastructure. 8. Engage with IBM support and subscribe to security advisories to stay informed about patches and emerging threats related to Db2.