Introduction
Privilege escalation on a core enterprise platform can mean the difference between a contained incident and a full system compromise. IBM i systems underpin critical operations in banking, manufacturing, and government, making any flaw in their security controls a matter of broad operational risk.
IBM i, formerly known as AS/400 and iSeries, is a foundational platform in the enterprise computing landscape. Used globally by thousands of organizations, it is recognized for its reliability and is central to many mission-critical workloads. IBM, as a vendor, has a significant presence in the technology sector with a diverse product portfolio and a long-standing influence on enterprise IT infrastructure.
Technical Information
CVE-2025-36367 is a privilege escalation vulnerability in IBM i SQL services, specifically affecting versions 7.2, 7.3, 7.4, 7.5, and 7.6. The vulnerability is rooted in an invalid or missing authorization check (CWE-862) within the SQL services component. This flaw allows an authenticated user to execute SQL procedures or functions using the elevated privileges of another user profile. The attacker does not need to possess elevated privileges initially but must have valid credentials to access the system.
The core issue is that SQL services fail to properly validate whether the requesting user has the necessary permissions to perform certain sensitive operations. As a result, a malicious actor can leverage this gap to escalate their privileges, ultimately gaining root access to the host operating system. The vulnerability is present across multiple major versions, indicating a longstanding flaw in the authorization logic of IBM i SQL services. No public code snippets or proof of concept are available for this vulnerability.
Affected Systems and Versions
CVE-2025-36367 affects the following IBM i versions:
- IBM i 7.2
- IBM i 7.3
- IBM i 7.4
- IBM i 7.5
- IBM i 7.6
All configurations using IBM i SQL services on these versions are considered vulnerable unless patched.
Vendor Security History
IBM i has experienced several privilege escalation vulnerabilities in recent years. Notable examples include:
- CVE-2025-33109: Privilege escalation due to invalid database authority check
- CVE-2025-33103: Privilege escalation in TCP/IP Connectivity Utilities
- CVE-2025-2947: Privilege escalation due to incorrect profile swapping in OS command
IBM's Product Security Incident Response Team (PSIRT) manages vulnerability disclosures and patch releases. The vendor typically provides timely advisories and security updates through its support channels.
