CVE-2025-13616
Published: 03 March 2026
Summary
CVE-2025-13616 is a medium-severity Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) vulnerability in Ibm Datastage On Cloud Pak For Data. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-13616 is an information disclosure vulnerability in IBM DataStage on Cloud Pak for Data versions 5.1.2 through 5.3.0. The flaw occurs when the software returns sensitive information in an HTTP response, which could aid attackers in subsequent exploitation of the system. It is classified under CWE-497 (Exposure of Sensitive Information to an Unauthorized Actor) with a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), indicating medium severity primarily due to high confidentiality impact.
The vulnerability can be exploited over the network by an authenticated attacker with low privileges. No user interaction is required, and low attack complexity enables remote exploitation without changing the scope. Successful exploitation grants access to sensitive data via the HTTP response, which could be leveraged for further attacks against the system, though it does not directly impact integrity or availability.
IBM has published a security bulletin detailing the issue and remediation steps at https://www.ibm.com/support/pages/node/7261771. Security practitioners should consult this advisory for patch availability and mitigation guidance specific to affected Cloud Pak for Data deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208250
Vulnerability details
IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 returns sensitive information in an HTTP response that could be used in further attacks against the system.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables remote retrieval of sensitive data via HTTP (T1005) from an exposed application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces information flow policies so that sensitive data is not returned in HTTP responses to users who should not receive it.
Filters sensitive information from system output (HTTP responses) before delivery, directly blocking the exposure described in CWE-497.
Enforces access-control decisions on data objects so that only authorized content is included in responses to authenticated callers.