IBM Db2, Credential Exposure, CVE-2025-13755 (Medium)

Listen to this Post

How CVE-2025-13755 Works

CVE-2025-13755 is an information disclosure vulnerability in IBM Db2. The vulnerability lies in how the database engine handles specific “testcase buckets.” When these internal testcase buckets are executed, the diagnostic logging process, db2diag, writes the raw input and output data from these tests directly into the diagnostic log file (db2diag.log). These testcase buckets can contain sensitive information, including usernames and passwords in plaintext, which are then logged. This issue is classified as a CWE-532: Insertion of Sensitive Information into Log File. The attack vector is local, requiring the attacker to have access to the system and be able to read the diagnostic logs. The vulnerability affects all platforms where Db2 runs, including Linux, UNIX, and Windows. An attacker with low privileges can gain access to the `db2diag.log` file, extract the exposed credentials, and use them to gain higher privileges within the database system. The core problem is the failure to sanitize sensitive data before writing it to persistent logs. The CVSS score for this vulnerability is 5.5 (Medium), reflecting the local access requirement but high confidentiality impact.

dailycve Form

Platform: IBM Db2
Version: 11.5.0-11.5.9 & 12.1.0-12.1.4
Vulnerability : Information Disclosure
Severity: Medium (5.5)
date: May 26, 2026
Prediction: June 9, 2026

What Undercode Say:

Check current DIAGLEVEL and DIAGPATH settings
db2 get dbm cfg | grep -E "(DIAGLEVEL|DIAGPATH)"
Search for potential credential exposure in the db2diag.log
grep -i -E "(password|user|pwd|secret)" /path/to/db2diag.log
Workaround: Lower diagnostic level to prevent detailed logging
db2 update dbm cfg using DIAGLEVEL 2
Apply the official patch for Db2 V11.5.9 (special build 81937 or later)
For more details, refer to IBM's Fix Central: https://www.ibm.com/support/pages/node/7087189

Exploit:

A local, authenticated user with read access to Db2 diagnostic logs. The attacker first identifies the location of the diagnostic logs by querying the `DIAGPATH` configuration. They then simply read the `db2diag.log` file and search for any credentials that may have been logged when the vulnerable testcase buckets were executed. These credentials can then be used to pivot to a more privileged database role.

Protection from this CVE

  • Patch: Immediately upgrade to the special builds V11.5.9 or V12.1.4 provided by IBM.
  • Workaround: Lower the diagnostic level (diaglevel) to 2 or less to prevent the sensitive information from being written.
  • Access Control: Strictly restrict local access to the Db2 diagnostic log directory (diagpath).
  • Log Rotation & Purge: Implement a policy to regularly purge or archive old diagnostic logs to reduce the window of exposure.
  • Monitoring: Set up monitoring for unusual reads of the `db2diag.log` file.

Impact

  • Confidentiality: High. Direct theft of plaintext credentials, leading to unauthorized data access.
  • Integrity: None.
  • Availability: None.
  • Business Impact: Potential for complete database compromise, data breaches, and non-compliance with security standards like GDPR or PCI DSS.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top