CVE-2025-13755 Overview
CVE-2025-13755 is an information disclosure vulnerability in IBM Db2 for Linux, UNIX, and Windows. The flaw affects Db2 versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4, including DB2 Connect Server. The database engine writes potentially sensitive information into log files that a local user can read. The issue is classified under CWE-532: Insertion of Sensitive Information into Log File. IBM has published a security advisory addressing the issue.
Critical Impact
A local user with access to the Db2 host can read sensitive information from log files, leading to confidentiality loss without requiring elevated privileges beyond standard local access.
Affected Products
- IBM Db2 for Linux, UNIX, and Windows 11.5.0 through 11.5.9
- IBM Db2 for Linux, UNIX, and Windows 12.1.0 through 12.1.4
- IBM DB2 Connect Server (bundled within the affected Db2 releases)
Discovery Timeline
- 2026-05-26 - CVE-2025-13755 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2025-13755
Vulnerability Analysis
CVE-2025-13755 is an information disclosure flaw caused by improper handling of sensitive data during logging operations. IBM Db2 writes diagnostic and operational data to log files that are accessible to local users on the database host. The exposed data may include information that should remain confidential within the database process boundary. Exploitation requires only local access with low privileges and no user interaction. The attack does not affect integrity or availability, but confidentiality impact is high. The EPSS score is 0.011%, indicating low probability of opportunistic exploitation in the near term.
Root Cause
The root cause is improper neutralization of sensitive information before it is written to log files, mapped to [CWE-532]. Db2 logging routines record diagnostic context that includes data which should have been redacted or omitted. File system permissions on the log directory do not sufficiently restrict access to administrators, so non-privileged local accounts on the same host can read the contents.
Attack Vector
The attack vector is local. An attacker with an authenticated low-privilege shell on the Db2 server reads diagnostic log files generated by the database engine. The attacker parses log content to extract sensitive values written during normal Db2 operations. No network access, no user interaction, and no Db2 authentication are required to read the log files once local access is obtained.
No public proof-of-concept code is available. Refer to the IBM Security Advisory for vendor-specific technical details.
Detection Methods for CVE-2025-13755
Indicators of Compromise
- Read access events on Db2 diagnostic log directories (for example db2diag.log and instance-level dump directories) originating from non-administrative local accounts.
- Unexpected copy, archive, or exfiltration operations targeting Db2 log files or the DIAGPATH directory.
- Local accounts that do not own the Db2 instance accessing files under the Db2 install path.
Detection Strategies
- Audit file access on Db2 log directories using OS-native auditing (auditd on Linux, Object Access auditing on Windows) and alert on reads by non-Db2-owner accounts.
- Correlate local shell activity with file reads on Db2 diagnostic paths to identify reconnaissance against log artifacts.
- Inventory all hosts running affected Db2 versions and prioritize them for log access monitoring until patched.
Monitoring Recommendations
- Forward OS file-access audit events and Db2 diagnostic logs to a centralized log platform for retention and review.
- Establish a baseline of which accounts legitimately read Db2 log files and alert on deviations.
- Track the integrity and permission state of DIAGPATH directories so unexpected permission relaxations trigger an alert.
How to Mitigate CVE-2025-13755
Immediate Actions Required
- Apply the fix referenced in the IBM Security Advisory for Db2 11.5.x and 12.1.x.
- Restrict file system permissions on Db2 log directories so only the Db2 instance owner and administrators can read them.
- Review existing Db2 log files for previously written sensitive data and rotate or sanitize them after patching.
- Limit interactive local access to Db2 hosts to administrators only.
Patch Information
IBM has issued a remediation in the security bulletin at IBM Support node 7273554. Administrators should upgrade Db2 instances to the fix pack level specified in the advisory for both the 11.5 and 12.1 release lines. DB2 Connect Server deployments shipped with the affected Db2 releases require the same remediation.
Workarounds
- Tighten directory and file permissions on DIAGPATH and any custom log locations so only the Db2 instance owner can read them.
- Reduce diagnostic verbosity by lowering the DIAGLEVEL database manager configuration parameter to minimize sensitive data captured in logs.
- Store Db2 log files on a volume with restricted local access and enforce file-system-level access controls until patching is complete.
# Configuration example: restrict Db2 diagnostic log access and reduce verbosity
# 1. Restrict OS permissions on the Db2 diagnostic path
chown -R db2inst1:db2iadm1 /home/db2inst1/sqllib/db2dump
chmod -R 700 /home/db2inst1/sqllib/db2dump
# 2. Lower diagnostic verbosity (run as the Db2 instance owner)
db2 update dbm cfg using DIAGLEVEL 2
db2stop
db2start
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
