Platform
ibm
Component
ibm-java-sdk
Fixed in
5.5.1
CVE-2025-27904 describes a cross-site request forgery (CSRF) vulnerability discovered in IBM DB2 Recovery Expert for LUW version 5.5 Interim Fix 002. This flaw allows an attacker to trick authenticated users into performing actions they did not intend, potentially leading to unauthorized data manipulation or system compromise. The vulnerability affects versions 5.5 Interim Fix 002 and is resolved in version 5.5.1.
A successful CSRF attack could allow an attacker to execute malicious and unauthorized actions within the context of a legitimate user's session. This could involve modifying recovery configurations, initiating unintended recovery operations, or potentially gaining access to sensitive data related to database recovery processes. The blast radius is limited to the scope of actions that can be performed through the DB2 Recovery Expert interface, but the impact on data integrity and availability could be significant if critical recovery procedures are manipulated. While not directly leading to remote code execution, a CSRF in a recovery tool could be leveraged to disrupt database operations and potentially cause data loss.
CVE-2025-27904 was published on 2026-02-17. There are currently no publicly known proof-of-concept exploits available. The vulnerability's CVSS score of 6.5 (MEDIUM) indicates a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-27904 is to upgrade to IBM DB2 Recovery Expert for LUW version 5.5.1 or later. If an immediate upgrade is not feasible, consider implementing strict input validation and output encoding within the application to prevent malicious requests from being processed. Implementing a Content Security Policy (CSP) can also help mitigate CSRF attacks by restricting the sources from which scripts can be executed. Review and restrict user permissions within the DB2 Recovery Expert interface to limit the potential impact of a successful CSRF attack.
Update IBM Db2 Recovery Expert for LUW to a version later than 5.5 Interim Fix 002 that includes the fix for the Cross-Site Request Forgery (CSRF) vulnerability. See the IBM security advisory for more details and specific update instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-27904 is a cross-site request forgery (CSRF) vulnerability affecting IBM DB2 Recovery Expert for LUW version 5.5 Interim Fix 002, allowing attackers to perform unauthorized actions.
You are affected if you are using IBM DB2 Recovery Expert for LUW version 5.5 Interim Fix 002. Upgrade to 5.5.1 or later to mitigate the risk.
The recommended fix is to upgrade to IBM DB2 Recovery Expert for LUW version 5.5.1 or later. Consider input validation and CSP as interim measures.
As of the current date, there are no publicly known active exploitation campaigns targeting CVE-2025-27904.
Refer to the official IBM Security Bulletin for CVE-2025-27904 on the IBM website (search for the bulletin ID related to DB2 Recovery Expert).
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.