PatchSiren cyber security CVE debrief
CVE-2025-13755 IBM CVE debrief
IBM Db2 for Linux, UNIX, and Windows (versions 11.5.0–11.5.9 and 12.1.0–12.1.4, including DB2 Connect Server) stores potentially sensitive information in log files that could be read by a local user. The vulnerability is classified as CWE-532 (Insertion of Sensitive Information into Log File). With a CVSS 3.1 score of 5.5 (MEDIUM), the issue requires local access and low privileges, but results in high confidentiality impact due to potential exposure of sensitive data in logs. No known exploitation in the wild or ransomware campaign use has been reported. IBM has published a security bulletin with remediation guidance.
- Vendor
- IBM
- Product
- Db2
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-27
Who should care
Database administrators managing IBM Db2 deployments, security teams responsible for database hardening, and compliance officers concerned with data exposure in log files
Technical summary
The vulnerability stems from sensitive data being written to Db2 log files without adequate access restrictions. A local user with low privileges can read these logs and obtain sensitive information. The attack requires no user interaction and has no integrity or availability impact. Affected platforms are Linux, UNIX, and Windows deployments of Db2 11.5.x and 12.1.x.
Defensive priority
medium
Recommended defensive actions
- Review IBM security bulletin for available fixes and apply relevant patches or configuration changes to affected Db2 deployments
- Audit Db2 log file permissions to ensure least-privilege access controls are enforced
- Identify and rotate any potentially exposed credentials or sensitive data that may have been logged
- Monitor for anomalous local access to Db2 log directories
- Subscribe to IBM security notifications for this product to receive updates on patch availability
Evidence notes
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. CWE-532 identified as primary weakness. Vendor confirmation via IBM PSIRT reference.
Official resources
-
CVE-2025-13755 CVE record
CVE.org
-
CVE-2025-13755 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
IBM disclosed this vulnerability via their Product Security Incident Response Team (PSIRT). The CVE was published to NVD on 2026-05-26 and remains under analysis.