Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
On-path network positioning required (AC:H); passive interception yields no integrity or availability impact, only confidentiality loss.
Primary rating from Vendor (ibm).
CVSS VectorVendor: ibm
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 transmits data in clear text that could allow an attacker to obtain sensitive information using man in the middle techniques.
AnalysisAI
Cleartext transmission in IBM watsonx.data intelligence versions 5.2.0 through 5.3.0 exposes sensitive data to interception by network-adjacent attackers using man-in-the-middle techniques. The CVSS vector (AV:N/AC:H/PR:N) confirms exploitation requires no authentication but does demand the attacker occupy a privileged on-path network position, moderating the overall risk. No public exploit code and no CISA KEV listing have been identified at time of analysis; vendor-released patch is available.
Technical ContextAI
CWE-319 (Cleartext Transmission of Sensitive Information) describes the root cause: the application transmits sensitive data over a network channel without adequate cryptographic protection, making that data readable to any on-path observer. IBM watsonx.data intelligence is an enterprise AI and data lakehouse platform. The affected CPE is cpe:2.3:a:ibm:watsonx.data_intelligence:*:*:*:*:*:*:*:*, covering versions 5.2.0, 5.2.1, 5.2.2, and 5.3.0. The vulnerability likely involves one or more internal or external communication channels - such as inter-service API calls, data ingestion pipelines, or client connections - where TLS is absent or bypassable, allowing passive capture of credentials, query data, or query results.
RemediationAI
Apply the vendor-released patch documented in IBM support advisory https://www.ibm.com/support/pages/node/7277801. The exact fixed version number is not specified in available input data - consult the advisory directly to identify the target upgrade version. If immediate patching is not feasible, deploy compensating controls: enforce TLS encryption on all network paths connecting watsonx.data intelligence services to clients and backends; apply network segmentation to restrict which hosts can communicate with the watsonx.data infrastructure, reducing on-path attacker opportunity; and enable network-level monitoring (e.g., IDS/IPS signatures for unencrypted sensitive data patterns) to detect cleartext transmission. Note that network segmentation reduces exposure but does not eliminate the vulnerability - patching remains the authoritative fix.
More in Watsonx Data Intelligence
View allClient-side enforcement of server-side security in IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 allows an
Stored cross-site scripting in IBM watsonx.data intelligence versions 5.2.0 through 5.3.0 allows authenticated low-privi
Cleartext data transmission in IBM watsonx.data intelligence versions 5.2.2 through 5.3.1 (including patch-1) exposes se
HTML injection in IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 enables a remote authenticated attacker to
Cross-site scripting in IBM watsonx.data Intelligence 5.2.0 through 5.3.0 allows low-privileged authenticated users to i
Temporary denial of service in IBM watsonx.data intelligence 5.2.0 through 5.3.0 is achievable by authenticated users wh
IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 leak sensitive technical information to the browser via verbo
IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 exposes authenticated users to unauthorized action execution
Server-side request forgery in IBM watsonx.data intelligence versions 5.2.0 through 5.3.0 enables authenticated attacker
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210375
GHSA-jxqf-888q-rfrh