Login Sign Up

CVE-2025-36131

4.6 MEDIUM

📋 TL;DR

IBM Db2's clpplus command exposes user credentials in terminal output, allowing anyone with physical access to the system to view them. This affects Db2 versions 11.1.0-11.1.4.7, 11.5.0-11.5.9, and 12.1.0-12.1.3 on Linux, UNIX, and Windows systems.

💻 Affected Systems

Products:
  • IBM Db2
  • IBM Db2 Connect Server
Versions: 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, 12.1.0 through 12.1.3
Operating Systems: Linux, UNIX, Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Affects clpplus command-line processor when used with credentials. Db2 Connect Server is also affected.

📦 What is this software?

Db2 by Ibm

View all CVEs affecting Db2 →

Db2 by Ibm

View all CVEs affecting Db2 →

Db2 by Ibm

View all CVEs affecting Db2 →

Db2 by Ibm

View all CVEs affecting Db2 →

Db2 by Ibm

View all CVEs affecting Db2 →

Db2 by Ibm

View all CVEs affecting Db2 →

Db2 by Ibm

View all CVEs affecting Db2 →

Db2 by Ibm

View all CVEs affecting Db2 →

Db2 by Ibm

View all CVEs affecting Db2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers with physical access obtain database credentials, leading to unauthorized data access, modification, or deletion.

🟠

Likely Case

Local users or administrators accidentally expose credentials through normal clpplus usage, which could be captured by screen recording or shoulder surfing.

🟢

If Mitigated

With proper access controls and monitoring, credential exposure is limited to authorized personnel only.

🌐 Internet-Facing: LOW - Requires physical or local system access, not remotely exploitable.
🏢 Internal Only: MEDIUM - Internal users with local access could exploit this, particularly in shared or poorly controlled environments.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ✅ No
Complexity: LOW - Simply requires viewing terminal output.

Exploitation requires local system access to view terminal output where credentials are displayed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply fixes from IBM: 11.1.4.8, 11.5.10, 12.1.4 or later

Vendor Advisory: https://www.ibm.com/support/pages/node/7250484

Restart Required: No

Instructions:

1. Download appropriate fix from IBM Fix Central. 2. Apply fix following IBM Db2 update procedures. 3. Verify clpplus no longer displays credentials in terminal.

🔧 Temporary Workarounds

Avoid clpplus with credentials

all

Use alternative methods to connect to Db2 that don't expose credentials.

Use db2 command-line processor instead: db2 connect to <database> user <username> using <password>

Clear terminal history

linux

Immediately clear terminal after using clpplus to remove credential traces.

clear
history -c

🧯 If You Can't Patch

  • Restrict physical access to systems running Db2
  • Implement strict access controls and monitor terminal sessions

🔍 How to Verify

Check if Vulnerable:

Run clpplus with credentials and check if they appear in terminal output.

Check Version:

db2level | grep "Product installed"

Verify Fix Applied:

After patching, test clpplus with credentials to confirm they are no longer displayed.

📡 Detection & Monitoring

Log Indicators:

  • Terminal session logs showing clpplus usage with credential parameters

Network Indicators:

  • None - local exploitation only

SIEM Query:

Search for process execution events containing 'clpplus' and credential parameters

📊 Metadata

CVE ID: CVE-2025-36131
CVSS v3 Score: 4.6 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-359
EPSS Score: 0.02% exploit probability (4.9th percentile)
Published: November 7, 2025
Last Updated: November 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-36131, you might also want to check these:

CVE-2022-0482 9.1

This vulnerability in Easy Appointments allows unauthorized actors to access private personal inform...

Same vulnerability type (CWE-359)
CVE-2023-36052 8.6

CVE-2023-36052 is an information disclosure vulnerability in Azure CLI's REST command that allows au...

Same vulnerability type (CWE-359)
CVE-2024-26192 8.2

This vulnerability in Microsoft Edge (Chromium-based) allows an attacker to potentially access sensi...

Same vulnerability type (CWE-359)