EUVD-2025-208651CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4Description
IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow a remote attacker to obtain sensitive information when detailed technical error messages are returned. This information could be used in further attacks against the system.
Analysis
IBM Sterling Partner Engagement Manager versions 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 contain an information disclosure vulnerability where detailed technical error messages are returned to remote attackers without authentication, exposing sensitive system information that can be leveraged for reconnaissance and follow-up attacks. With a CVSS score of 5.3 and low attack complexity requiring no privileges, this vulnerability poses a moderate risk as an information gathering vector in multi-stage attack campaigns, though direct exploitation impact is limited to confidentiality.
Technical Context
This vulnerability is rooted in CWE-209 (Information Exposure Through an Error Message), a common weakness in web applications and APIs where verbose error handling reveals system internals, configuration details, stack traces, or other sensitive metadata. IBM Sterling Partner Engagement Manager is an enterprise partner management platform that processes sensitive business data through REST/SOAP APIs and web interfaces. The affected versions (6.2.3.0-6.2.3.5 and 6.2.4.0-6.2.4.2) fail to implement proper error message sanitization, likely in authentication handlers, API endpoints, or database interaction layers. When error conditions occur—such as malformed requests, failed authentication attempts, or backend service failures—the application returns unfiltered exception details to any network-accessible endpoint, violating secure coding practices that require environment-appropriate error responses (generic messages for untrusted clients, detailed logs only in secure backend channels).
Affected Products
IBM Sterling Partner Engagement Manager is affected in versions 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 (CPE identifiers: cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.* and cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.*). Consult the IBM Security Bulletin for the affected CVE (typically found at https://www.ibm.com/support/pages/node/<node_id>) and the corresponding product security documentation to confirm your installation version and identify available patches.
Remediation
Upgrade IBM Sterling Partner Engagement Manager to a patched version released after 6.2.4.2 (IBM will provide specific version numbers in the official security advisory). Until patching is possible, implement network-level controls by restricting access to Sterling Partner Engagement Manager endpoints to trusted internal subnets or VPN users only, and deploy a Web Application Firewall (WAF) to suppress or sanitize error responses. Additionally, enable comprehensive logging and monitoring of error responses to detect reconnaissance activity, and configure the application to return generic error messages ('An error occurred. Contact support.') rather than detailed exception details by modifying the application's error handling configuration as documented in the Sterling Partner Engagement Manager administration guide.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today