EUVD-2025-208649CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionNVD
IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow an attacker to obtain sensitive user information using an expired access token
AnalysisAI
IBM Sterling Partner Engagement Manager versions 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 contain an authentication bypass vulnerability that allows unauthenticated attackers to extract sensitive user information by leveraging expired access tokens over the network without requiring special privileges or user interaction. The vulnerability has a CVSS score of 5.3 with low attack complexity, meaning exploitation is straightforward and requires no special conditions, though the impact is limited to confidentiality breaches with no integrity or availability compromise.
Technical ContextAI
The vulnerability resides in IBM Sterling Partner Engagement Manager's access token validation mechanism, which fails to properly invalidate or reject expired tokens when processing subsequent API or application requests. This represents a token lifecycle management failure classified under CWE-324 (Cleartext Transmission of Sensitive Information) and broader authentication bypass patterns. The root cause involves improper token expiration enforcement at the application layer, allowing attackers to reuse tokens beyond their intended validity window to access user information endpoints. The affected product (CPE specification cpe:2.3:a:ibm:sterling_partner_engagement_manager) implements a web-based B2B integration platform where authentication tokens are critical security controls; failure to enforce token expiration creates a direct path to unauthorized information disclosure.
RemediationAI
Upgrade IBM Sterling Partner Engagement Manager to versions beyond 6.2.3.5 or 6.2.4.2 as specified in the vendor's security advisory; contact IBM Support for patch availability and compatibility testing before deployment in production environments. Until upgrades can be deployed, implement token rotation policies that aggressively expire tokens on the server side and validate token expiration status on every API request; consider deploying a reverse proxy (such as IBM DataPower or Apache reverse proxy) in front of Sterling PEM to enforce token expiration checks at the gateway layer before requests reach the application. Additionally, enforce multi-factor authentication (MFA) for high-privilege accounts accessing Sterling PEM and monitor token usage logs for anomalous patterns (re-use of expired tokens) that may indicate exploitation attempts.
More from same product – last 7 days
Remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.1 lets unauthenticated network attackers run arbitr
Remote code execution and authentication bypass are possible in IBM Aspera High-Speed Transfer Server and High-Speed Tra
Authentication bypass in IBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I) versions 1.5.1 throu
Hard-coded credentials in IBM Controller (versions 11.0.1, 11.1.0, 11.1.1, and 11.1.2) give attackers a static, embedded
Arbitrary code execution in IBM Aspera High-Speed Transfer Server and Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1)
Share
External POC / Exploit Code
Leaving vuln.today