Skip to main content

IBM watsonx.data intelligence CVE-2025-12530

| EUVDEUVD-2025-210384 MEDIUM
Cleartext Transmission of Sensitive Information (CWE-319)
2026-06-30 ibm GHSA-4h2g-pgm3-vm4c
5.9
CVSS 3.1 · Vendor: ibm
Share

Severity by source

Vendor (ibm) PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.9 MEDIUM

Network vector and no auth align with passive MITM interception; AC:H reflects required network positioning; only confidentiality is impacted with no integrity or availability loss.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (ibm).

CVSS VectorVendor: ibm

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 30, 2026 - 21:21 vuln.today

DescriptionCVE.org

IBM watsonx.data intelligence 5.2.2, 5.3.0, 5.3.1, 5.3.1 through patch-1 transmits data in clear text that could allow an attacker to obtain sensitive information using man in the middle techniques.

AnalysisAI

Cleartext data transmission in IBM watsonx.data intelligence versions 5.2.2 through 5.3.1 (including patch-1) exposes sensitive information to network interception by a man-in-the-middle adversary. The platform transmits certain data without encryption, enabling an attacker positioned on the network path to capture confidential content in transit. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified; however, the CVSS High confidentiality impact (C:H) signals that the interceptable data is substantively sensitive, likely including queries, credentials, or intelligence payloads.

Technical ContextAI

CWE-319 (Cleartext Transmission of Sensitive Information) describes the failure to use an encrypted channel when transmitting data that requires confidentiality. IBM watsonx.data intelligence - identified by CPE cpe:2.3:a:ibm:watsonx.data_intelligence - is an enterprise AI and data intelligence platform. The root cause here is that one or more communication paths within the platform (component-to-component or client-to-server) operate over unencrypted channels, bypassing TLS or equivalent transport-layer security. This is a protocol-configuration-layer weakness rather than a logic flaw in application code, meaning an adversary does not exploit a memory corruption issue or injection vector, but simply reads traffic that the application fails to protect. The CWE-319 root cause class is well understood and the fix pattern (enforcing TLS across all communication paths) is straightforward for vendors to apply.

RemediationAI

Apply the vendor-released patch referenced in the IBM Security Advisory at https://www.ibm.com/support/pages/node/7277802; the advisory confirms a fix is available, though the exact patched version number is not specified in currently available data and should be confirmed directly from the IBM advisory page. As a compensating control while the patch is being applied, enforce network-layer TLS between all watsonx.data intelligence service components and between clients and the platform - deploying a TLS-terminating reverse proxy at the perimeter will reduce exposure of client-facing cleartext channels, though internal inter-component cleartext paths may remain vulnerable until the vendor patch is applied. Additionally, restrict network access to watsonx.data intelligence endpoints using firewall rules or micro-segmentation to limit the network segments from which a man-in-the-middle position could be achieved, noting that this reduces attack surface but does not eliminate the vulnerability in shared or cloud-hosted environments.

Share

CVE-2025-12530 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy