Login Sign Up

CVE-2025-33012

6.3 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability in IBM Db2 allows authenticated users to regain access to their accounts even after being locked out due to password expiration. It affects IBM Db2 versions 10.5.0-10.5.11, 11.1.0-11.1.4.7, 11.5.0-11.5.9, and 12.1.0-12.1.3 running on Linux systems.

💻 Affected Systems

Products:
  • IBM Db2
Versions: 10.5.0 through 10.5.11, 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3
Operating Systems: Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Linux installations. Requires authenticated user access.

📦 What is this software?

Db2 by Ibm

View all CVEs affecting Db2 →

Db2 by Ibm

View all CVEs affecting Db2 →

Db2 by Ibm

View all CVEs affecting Db2 →

Db2 by Ibm

View all CVEs affecting Db2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with valid credentials could maintain persistent access to a Db2 database even after their account should have been locked, potentially leading to unauthorized data access, modification, or exfiltration.

🟠

Likely Case

Legitimate users or attackers with compromised credentials bypassing account lockout policies, maintaining unauthorized access to database resources.

🟢

If Mitigated

Minimal impact if strong authentication controls, network segmentation, and monitoring are in place to detect unusual access patterns.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires valid user credentials. The vulnerability appears to be a logic flaw in account lockout handling.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply fixes as specified in IBM advisory APAR IJ52530

Vendor Advisory: https://www.ibm.com/support/pages/node/7250469

Restart Required: Yes

Instructions:

1. Review IBM advisory APAR IJ52530. 2. Apply the appropriate fix pack for your Db2 version. 3. Restart Db2 services. 4. Verify the fix is applied.

🔧 Temporary Workarounds

Enforce Strong Password Policies

all

Implement strict password policies including regular forced password changes and account lockout after failed attempts

Monitor Account Access

all

Implement enhanced monitoring for account access patterns, especially for accounts that should be locked

🧯 If You Can't Patch

  • Implement network segmentation to restrict Db2 access to authorized users only
  • Enhance monitoring and alerting for unusual authentication patterns

🔍 How to Verify

Check if Vulnerable:

Check Db2 version using 'db2level' command and compare against affected versions

Check Version:

db2level

Verify Fix Applied:

Verify applied fix pack version and test account lockout functionality with expired passwords

📡 Detection & Monitoring

Log Indicators:

  • Successful authentication attempts for accounts that should be locked
  • Repeated authentication attempts with expired passwords

Network Indicators:

  • Unusual database access patterns from accounts that should be inactive

SIEM Query:

source="db2" AND (event_type="authentication_success" AND account_status="locked")

📊 Metadata

CVE ID: CVE-2025-33012
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-324
EPSS Score: 0.03% exploit probability (7th percentile)
Published: November 7, 2025
Last Updated: November 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-33012, you might also want to check these:

CVE-2024-36031 9.8

A Linux kernel vulnerability in the key management subsystem unconditionally overwrites key expirati...

Same vulnerability type (CWE-324)
CVE-2025-31123 8.7

Zitadel identity infrastructure software has a vulnerability where expired JWT keys can be used to o...

Same vulnerability type (CWE-324)
CVE-2025-2291 8.1

This vulnerability in PgBouncer allows attackers to authenticate with expired passwords when using a...

Same vulnerability type (CWE-324)