Skip to main content

Sterling Partner Engagement Manager CVE-2025-13726

| EUVDEUVD-2025-208651 MEDIUM
Error Message Information Leak (CWE-209)
2026-03-13 ibm
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 18, 2026 - 20:28 nvd
Patch available
EUVD ID Assigned
Mar 13, 2026 - 19:00 euvd
EUVD-2025-208651
Analysis Generated
Mar 13, 2026 - 19:00 vuln.today
CVE Published
Mar 13, 2026 - 18:26 nvd
MEDIUM 5.3

DescriptionCVE.org

IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow a remote attacker to obtain sensitive information when detailed technical error messages are returned. This information could be used in further attacks against the system.

AnalysisAI

IBM Sterling Partner Engagement Manager versions 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 contain an information disclosure vulnerability where detailed technical error messages are returned to remote attackers without authentication, exposing sensitive system information that can be leveraged for reconnaissance and follow-up attacks. With a CVSS score of 5.3 and low attack complexity requiring no privileges, this vulnerability poses a moderate risk as an information gathering vector in multi-stage attack campaigns, though direct exploitation impact is limited to confidentiality.

Technical ContextAI

This vulnerability is rooted in CWE-209 (Information Exposure Through an Error Message), a common weakness in web applications and APIs where verbose error handling reveals system internals, configuration details, stack traces, or other sensitive metadata. IBM Sterling Partner Engagement Manager is an enterprise partner management platform that processes sensitive business data through REST/SOAP APIs and web interfaces. The affected versions (6.2.3.0-6.2.3.5 and 6.2.4.0-6.2.4.2) fail to implement proper error message sanitization, likely in authentication handlers, API endpoints, or database interaction layers. When error conditions occur—such as malformed requests, failed authentication attempts, or backend service failures—the application returns unfiltered exception details to any network-accessible endpoint, violating secure coding practices that require environment-appropriate error responses (generic messages for untrusted clients, detailed logs only in secure backend channels).

RemediationAI

Upgrade IBM Sterling Partner Engagement Manager to a patched version released after 6.2.4.2 (IBM will provide specific version numbers in the official security advisory). Until patching is possible, implement network-level controls by restricting access to Sterling Partner Engagement Manager endpoints to trusted internal subnets or VPN users only, and deploy a Web Application Firewall (WAF) to suppress or sanitize error responses. Additionally, enable comprehensive logging and monitoring of error responses to detect reconnaissance activity, and configure the application to return generic error messages ('An error occurred. Contact support.') rather than detailed exception details by modifying the application's error handling configuration as documented in the Sterling Partner Engagement Manager administration guide.

CVE-2023-23482 CRITICAL
9.6 Jun 08

IBM Sterling Partner Engagement Manager 6.1, 6.2, and 6.2.1 could allow a remote attacker to hijack the clicking action

CVE-2025-33093 HIGH
7.5 May 07

IBM Sterling Partner Engagement Manager 6.1.0, 6.2.0, 6.2.2 JWT secret is stored in public Helm Charts and is not stored

CVE-2023-43045 HIGH
7.5 Oct 23

IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and 6.2.2 could allow a remote user to perform unauthorized action

CVE-2022-35639 HIGH
7.5 Jul 26

IBM Sterling Partner Engagement Manager 6.1, 6.2, and Cloud 22.2 do not limit the length of a connection which could cau

CVE-2022-34348 HIGH
7.1 Sep 23

IBM Sterling Partner Engagement Manager 6.1 is vulnerable to an XML External Entity Injection (XXE) attack when processi

CVE-2022-34334 MEDIUM
6.5 Oct 10

IBM Sterling Partner Engagement Manager 2.0 does not invalidate session after logout which could allow an authenticated

CVE-2023-38722 MEDIUM
5.4 Oct 23

IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and 6.2.2 is vulnerable to stored cross-site scripting. Rated medi

CVE-2023-23481 MEDIUM
5.4 Jun 08

IBM Sterling Partner Engagement Manager 6.1, 6.2, and 6.2.1 is vulnerable to stored cross-site scripting. Rated medium s

CVE-2023-23480 MEDIUM
5.4 Jun 08

IBM Sterling Partner Engagement Manager 6.1, 6.2, and 6.2.1 is vulnerable to cross-site scripting. Rated medium severity

CVE-2025-13723 MEDIUM
5.3 Mar 13

IBM Sterling Partner Engagement Manager versions 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 contain an authenti

Share

CVE-2025-13726 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy