Analysis Summary

A critical privilege escalation vulnerability (CVE-2025-36004) has been identified in IBM Facsimile Support for i, a component deployed across IBM i systems from versions 7.2 to 7.5. Discovered by researchers, the flaw is rooted in an unqualified library call issue categorized under CWE-427: Uncontrolled Search Path Element. It carries a high CVSS base score of high, indicating severe risk with low attack complexity. The flaw allows attackers with limited privileges such as those capable of program compilation or restoration to execute user-controlled code with elevated (administrator) rights, without requiring user interaction.

The vulnerability arises from improper validation of library search paths. IBM Facsimile Support for i fails to restrict where it looks for dependent libraries, allowing a local attacker to place a malicious library in a location that gets prioritized in the system’s loading order. When the application calls the library, it inadvertently executes the attacker’s code. This privilege escalation path allows compromise of system confidentiality, integrity, and availability all rated high in impact. Because IBM i systems often serve critical enterprise roles, including data hosting and transaction processing, exploitation could lead to full system compromise and persistent backdoor access.

This issue affects the IBM i 7.2, 7.3, 7.4, and 7.5 releases, and specifically targets the 5798-FAX component, which can be installed across all these versions. Given the wide deployment of this component in enterprise environments, the potential attack surface is substantial. Exploitation requires network access, low-level privileges, and no user interaction, making it a viable path for insider threats or attackers who have gained minimal foothold on the system. There are no existing mitigations or temporary workarounds, amplifying the urgency to patch.

To address the vulnerability, IBM has released PTF SJ06024 for product 5798-FAX, which fixes the improper path resolution behavior by enforcing strict validation during library calls. IBM recommends immediate patching through Fix Central or the provided PTF download. Organizations operating unsupported IBM i versions are strongly advised to upgrade to supported ones and apply the patch. Due to the potential for remote privilege escalation and the central role of IBM i systems in enterprise infrastructure, CVE-2025-36004 should be treated as a critical security threat demanding swift remediation.

Impact

• Privilege Escalation
• Gain Access

Indicators of Compromise

CVE

• CVE-2025-36004

Affected Vendors

Remediation

• Refer to IBM Security Advisory for patch, upgrade, or suggested workaround information
• Verify successful patch installation by checking system logs or PTF levels to confirm the vulnerability is mitigated.
• Upgrade unsupported IBM i versions to the latest supported releases before applying the patch, as older versions do not receive security fixes.
• Restrict program compilation and restoration privileges to only trusted administrative users to reduce the risk of internal misuse.
• Audit system libraries and paths for any unauthorized or suspicious files that may have been placed by potential attackers prior to patching.
• Implement continuous monitoring for unauthorized privilege escalations or unusual behavior on IBM i systems.
• Review access control policies and enforce the principle of least privilege for all users and service accounts.