CVE-2025-13755
Analyzed Analyzed - Analysis Complete
IBM Db2 Information Disclosure in Log Files

Publication date: 2026-05-26

Last updated on: 2026-05-27

Assigner: IBM Corporation

Description
IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes DB2 Connect Server) stores potentially sensitive information in log files that could be read by a local user.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2025-13755
EUVD
EUVD-2025-209933
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
ibm db2 From 11.5.0 (inc) to 11.5.9 (inc)
ibm db2 From 11.5.0 (inc) to 11.5.9 (inc)
ibm db2 From 11.5.0 (inc) to 11.5.9 (inc)
ibm db2 From 12.1.0 (inc) to 12.1.4 (inc)
ibm db2 From 12.1.0 (inc) to 12.1.4 (inc)
ibm db2 From 12.1.0 (inc) to 12.1.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

IBM Db2 for Linux, UNIX, and Windows (including DB2 Connect Server) has a vulnerability where sensitive information, such as credentials, may be stored in the db2diag log files when specific testcase buckets are executed.

This means that a local user with access to these log files could potentially read sensitive data that should not be exposed.

The affected versions include Db2 11.5.0 through 11.5.9 and Db2 12.1.0 through 12.1.4.

Impact Analysis

This vulnerability can lead to credential exposure, allowing a local user to access sensitive information stored in log files.

Such exposure could compromise the security of the database environment by enabling unauthorized access or further attacks using the leaked credentials.

The CVSS base score of 5.5 indicates a moderate severity, meaning the impact is significant but requires local access and low privileges.

Detection Guidance

This vulnerability involves sensitive information being stored in the db2diag log file when specific testcase buckets are executed. Detection involves checking these log files for the presence of sensitive data exposure.

You can inspect the db2diag log files on the affected Db2 servers to detect if sensitive information is being logged. For example, on Linux or UNIX systems, you might use commands like:

  • grep -i 'password' /path/to/db2diag.log
  • grep -i 'credential' /path/to/db2diag.log
  • grep -i 'testcase' /path/to/db2diag.log

These commands help identify if sensitive information related to credentials is being logged. Adjust the log file path as per your Db2 installation.

Mitigation Strategies

IBM recommends applying the interim fixes available through Fix Central for Db2 versions 11.5.9 and 12.1.4 to address this vulnerability.

As an immediate workaround, you can reduce the risk of credential exposure by setting the diaglevel parameter to 2, 1, or 0, which lowers the verbosity of logging and limits sensitive information being recorded.

Ensure that only authorized local users have access to the db2diag log files to prevent unauthorized reading of sensitive information.

Compliance Impact

The vulnerability involves the storage of potentially sensitive information in log files that could be accessed by a local user. This exposure of sensitive data may impact compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding sensitive information from unauthorized access.

Organizations using affected IBM Db2 versions should apply the provided fixes or mitigations to reduce the risk of credential exposure and help maintain compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13755. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart