A critical vulnerability has been identified in multiple IBM products, specifically affecting the IBM i 7 operating system. This flaw, rated as high severity, could allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system, potentially leading to a complete system compromise, data theft, and significant business disruption. Organizations are urged to apply the vendor-provided security updates immediately to mitigate this threat.

This vulnerability is a remote command injection flaw within a core network service of the IBM i 7 operating system. An unauthenticated attacker can send a specially crafted network packet to the vulnerable service. Due to improper input sanitization, the packet can be manipulated to include operating system commands, which are then executed on the target system with elevated privileges. Successful exploitation does not require any user interaction or prior access to the system.

This vulnerability presents a significant risk to the organization, classified as High severity with a CVSS score of 8.8. Successful exploitation could result in a complete compromise of the affected IBM i systems, which often host mission-critical applications and sensitive data. Potential consequences include unauthorized access to and exfiltration of confidential customer information, financial records, and intellectual property; disruption of core business operations; and the ability for an attacker to use the compromised system as a pivot point to launch further attacks against the internal network. The financial, reputational, and regulatory impact of such a breach would be severe.

Immediate Action: The primary remediation step is to apply the security updates provided by IBM to all affected systems immediately. Due to the critical nature of this vulnerability, this action should be prioritized within an emergency change management window. In parallel, security teams should actively monitor for any indicators of compromise and review system and network access logs for suspicious activity, particularly targeting the vulnerable services.

Proactive Monitoring: Implement enhanced monitoring for IBM i systems. Security teams should look for unusual network traffic patterns to IBM i services, unexpected outbound connections from these systems, and anomalies in system audit journals (QAUDJRN). Specifically, monitor for unexpected process creation or shell command execution by the service account associated with the vulnerable component.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls to reduce the risk of exploitation:

• Use a firewall or network access control lists (ACLs) to strictly limit network access to the vulnerable services on the IBM i systems. Only allow connections from trusted, explicitly authorized IP addresses.
• Deploy an Intrusion Prevention System (IPS) with virtual patching capabilities or signatures designed to detect and block exploit attempts against CVE-2025-36367.
• Increase the logging level for the affected services and ensure logs are being ingested into a centralized SIEM for correlation and alerting.

Public Exploit Available: false

This vulnerability must be treated as a critical threat to the organization. The high CVSS score of 8.8 reflects the ease of exploitation and the potential for complete system compromise. Although not currently listed on the CISA KEV catalog, its severity makes it a strong candidate for future inclusion. We strongly recommend that all affected IBM i systems are patched within the organization's emergency patching timeline. If patching is delayed, the compensating controls outlined above must be implemented immediately to reduce the attack surface.