CVE-2025-13108
Published: 17 February 2026
Summary
CVE-2025-13108 is a medium-severity Sensitive Information in Resource Not Removed Before Reuse (CWE-226) vulnerability in Ibm Db2 Merge Backup. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 10.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
The eradication and cross-system identification steps ensure sensitive information is removed before resources are reused or further accessed.
Requiring sanitization of media prior to removal for off-site maintenance ensures sensitive information is removed before the resource is reused or accessed externally.
Procedures include sanitization, overwriting, and disposal requirements to remove sensitive data before media reuse or release.
Requiring sanitization prior to reuse directly ensures sensitive information is removed from resources before they are reused by others.
Downgrading enables reuse of media at lower security levels, and the mandated process ensures sensitive information is removed beforehand to prevent exposure on reused resources.
Directly requires removal of sensitive data from resources before reuse or reallocation to another subject, eliminating residual information transfer.
Explicit retention limits and destruction rules reduce the persistence of sensitive information in reusable resources.
Periodic quality checks and deletion ensure sensitive PII is removed from resources prior to reuse or retention beyond its valid lifetime.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables local reading of residual sensitive data (e.g., credentials) from uncleared memory buffers.
NVD Description
IBM DB2 Merge Backup for Linux, UNIX and Windows 12.1.0.0 could allow an attacker to access sensitive information in memory due to the buffer not properly clearing resources.
Deeper analysisAI
CVE-2025-13108 affects IBM DB2 Merge Backup for Linux, UNIX, and Windows version 12.1.0.0. The vulnerability arises because a buffer does not properly clear resources, potentially allowing an attacker to access sensitive information stored in memory. It is classified under CWE-226 (Sensitive Information in Resource Not Removed Before Reuse) and has a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), indicating medium severity with high confidentiality impact but no integrity or availability effects.
A local attacker with low privileges can exploit this issue with low complexity and no user interaction required. Successful exploitation enables the reading of sensitive data from memory that should have been cleared, potentially exposing confidential information such as credentials, keys, or other runtime data without altering system integrity or availability.
IBM's security advisory at https://www.ibm.com/support/pages/node/7260043 provides details on mitigation, including available patches for the affected DB2 Merge Backup component. Security practitioners should review the advisory for fix packs and apply them promptly to remediate the buffer clearing deficiency.
Details
- CWE(s)