CVE-2025-13616
Published: 03 March 2026
Summary
CVE-2025-13616 is a medium-severity Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) vulnerability in Ibm Datastage On Cloud Pak For Data. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Ongoing reviews detect and remove sensitive system information before it reaches publicly accessible systems.
Employs detection to prevent unauthorized mining of sensitive system information from being exfiltrated to external control spheres.
Documenting where system information is processed and stored prevents exposure to unauthorized control spheres.
The control stops sensitive system information from crossing into unauthorized control spheres through EM emanations.
Authorization and minimization requirements keep PII out of test/research control spheres that often lack production-grade protections.
Documented categorization of system information reduces the chance that sensitive internals are left exposed to unauthorized spheres.
System information is concealed or replaced with decoys, reducing leakage to unauthorized observers.
Ensures sensitive system information is not disclosed outside the intended control sphere through error output.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables remote retrieval of sensitive data via HTTP (T1005) from an exposed application (T1190).
NVD Description
IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 returns sensitive information in an HTTP response that could be used in further attacks against the system.
Deeper analysisAI
CVE-2025-13616 is an information disclosure vulnerability in IBM DataStage on Cloud Pak for Data versions 5.1.2 through 5.3.0. The flaw occurs when the software returns sensitive information in an HTTP response, which could aid attackers in subsequent exploitation of the system. It is classified under CWE-497 (Exposure of Sensitive Information to an Unauthorized Actor) with a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), indicating medium severity primarily due to high confidentiality impact.
The vulnerability can be exploited over the network by an authenticated attacker with low privileges. No user interaction is required, and low attack complexity enables remote exploitation without changing the scope. Successful exploitation grants access to sensitive data via the HTTP response, which could be leveraged for further attacks against the system, though it does not directly impact integrity or availability.
IBM has published a security bulletin detailing the issue and remediation steps at https://www.ibm.com/support/pages/node/7261771. Security practitioners should consult this advisory for patch availability and mitigation guidance specific to affected Cloud Pak for Data deployments.
Details
- CWE(s)