CVE-2025-13723

| EUVD-2025-208649 MEDIUM
2026-03-13 ibm
5.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch Released
Mar 18, 2026 - 19:18 nvd
Patch available
EUVD ID Assigned
Mar 13, 2026 - 19:00 euvd
EUVD-2025-208649
Analysis Generated
Mar 13, 2026 - 19:00 vuln.today
CVE Published
Mar 13, 2026 - 18:32 nvd
MEDIUM 5.3

Tags

Information Disclosure IBM Sterling Partner Engagement Manager

Description

IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow an attacker to obtain sensitive user information using an expired access token

Analysis

IBM Sterling Partner Engagement Manager versions 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 contain an authentication bypass vulnerability that allows unauthenticated attackers to extract sensitive user information by leveraging expired access tokens over the network without requiring special privileges or user interaction. The vulnerability has a CVSS score of 5.3 with low attack complexity, meaning exploitation is straightforward and requires no special conditions, though the impact is limited to confidentiality breaches with no integrity or availability compromise.

Technical Context

The vulnerability resides in IBM Sterling Partner Engagement Manager's access token validation mechanism, which fails to properly invalidate or reject expired tokens when processing subsequent API or application requests. This represents a token lifecycle management failure classified under CWE-324 (Cleartext Transmission of Sensitive Information) and broader authentication bypass patterns. The root cause involves improper token expiration enforcement at the application layer, allowing attackers to reuse tokens beyond their intended validity window to access user information endpoints. The affected product (CPE specification cpe:2.3:a:ibm:sterling_partner_engagement_manager) implements a web-based B2B integration platform where authentication tokens are critical security controls; failure to enforce token expiration creates a direct path to unauthorized information disclosure.

Affected Products

IBM Sterling Partner Engagement Manager versions 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 are vulnerable. The affected product is identified by CPE cpe:2.3:a:ibm:sterling_partner_engagement_manager. Organizations running these specific versions should consult IBM's security advisory (typically available via IBM Security Advisories or the Sterling Partner Engagement Manager documentation portal) for detailed patch availability and supported upgrade paths. Adjacent versions outside these ranges (prior to 6.2.3.0 or after 6.2.4.2) should be verified against the vendor advisory for confirmation of fix status.

Remediation

Upgrade IBM Sterling Partner Engagement Manager to versions beyond 6.2.3.5 or 6.2.4.2 as specified in the vendor's security advisory; contact IBM Support for patch availability and compatibility testing before deployment in production environments. Until upgrades can be deployed, implement token rotation policies that aggressively expire tokens on the server side and validate token expiration status on every API request; consider deploying a reverse proxy (such as IBM DataPower or Apache reverse proxy) in front of Sterling PEM to enforce token expiration checks at the gateway layer before requests reach the application. Additionally, enforce multi-factor authentication (MFA) for high-privilege accounts accessing Sterling PEM and monitor token usage logs for anomalous patterns (re-use of expired tokens) that may indicate exploitation attempts.

Priority Score

27
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +26
POC: 0

Share

CVE-2025-13723 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy