Cross-Site WebSocket Hijacking in IBM Db2 Mirror for i
CVE-2025-36116

6.3MEDIUM

Key Information:

Vendor: IBM
Status: Db2 Mirror For I
Vendor: CVE Published:; 23 July 2025

What is CVE-2025-36116?

The IBM Db2 Mirror for i GUI is vulnerable to a cross-site WebSocket hijacking attack. An unauthenticated threat actor could exploit this flaw by sending a specially crafted request, which allows them to capture an existing WebSocket connection. This vulnerability could enable the attacker to perform unauthorized actions on behalf of users, exposing sensitive data and compromising the integrity of the system. Organizations using vulnerable versions of Db2 Mirror for i should assess their exposure and implement necessary mitigations.

Affected Version(s)

Db2 Mirror for i 7.4, 7.5, 7.6

References

https://www.ibm.com/support/pages/node/7240351

vendor-advisory

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 23, 2025
Vulnerability Reserved
Apr 15, 2025