IBM Watsonx Vulnerability Enables SQL Injection Attacks

A critical vulnerability in the IBM Watsonx Orchestrate Cartridge for IBM Cloud Pak for Data has been disclosed, enabling blind SQL injection attacks that could compromise sensitive data.

Tracked as CVE-2025-0165, this flaw allows authenticated attackers to inject malicious SQL statements, potentially leading to unauthorized data access, manipulation, or deletion in the back-end database.

IBM’s Watsonx platform offers advanced AI and orchestration capabilities within the Cloud Pak for Data suite.

The Orchestrate Cartridge component streamlines automated workflows and integrates with various data sources.

However, a security bulletin released by IBM on August 31, 2025, warns that versions 4.8.4 through 5.2 are affected by a blind SQL injection vulnerability, where user input is not properly sanitized before being embedded in SQL commands.

Vulnerability Details

According to the official advisory, the weakness arises from improper neutralization of special elements in SQL commands, classified under CWE-89.

An attacker with ...