Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow an attacker to obtain sensitive user information using an expired access token
AnalysisAI
IBM Sterling Partner Engagement Manager versions 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 contain an authentication bypass vulnerability that allows unauthenticated attackers to extract sensitive user information by leveraging expired access tokens over the network without requiring special privileges or user interaction. The vulnerability has a CVSS score of 5.3 with low attack complexity, meaning exploitation is straightforward and requires no special conditions, though the impact is limited to confidentiality breaches with no integrity or availability compromise.
Technical ContextAI
The vulnerability resides in IBM Sterling Partner Engagement Manager's access token validation mechanism, which fails to properly invalidate or reject expired tokens when processing subsequent API or application requests. This represents a token lifecycle management failure classified under CWE-324 (Cleartext Transmission of Sensitive Information) and broader authentication bypass patterns. The root cause involves improper token expiration enforcement at the application layer, allowing attackers to reuse tokens beyond their intended validity window to access user information endpoints. The affected product (CPE specification cpe:2.3:a:ibm:sterling_partner_engagement_manager) implements a web-based B2B integration platform where authentication tokens are critical security controls; failure to enforce token expiration creates a direct path to unauthorized information disclosure.
RemediationAI
Upgrade IBM Sterling Partner Engagement Manager to versions beyond 6.2.3.5 or 6.2.4.2 as specified in the vendor's security advisory; contact IBM Support for patch availability and compatibility testing before deployment in production environments. Until upgrades can be deployed, implement token rotation policies that aggressively expire tokens on the server side and validate token expiration status on every API request; consider deploying a reverse proxy (such as IBM DataPower or Apache reverse proxy) in front of Sterling PEM to enforce token expiration checks at the gateway layer before requests reach the application. Additionally, enforce multi-factor authentication (MFA) for high-privilege accounts accessing Sterling PEM and monitor token usage logs for anomalous patterns (re-use of expired tokens) that may indicate exploitation attempts.
IBM Sterling Partner Engagement Manager 6.1, 6.2, and 6.2.1 could allow a remote attacker to hijack the clicking action
IBM Sterling Partner Engagement Manager 6.1.0, 6.2.0, 6.2.2 JWT secret is stored in public Helm Charts and is not stored
IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and 6.2.2 could allow a remote user to perform unauthorized action
IBM Sterling Partner Engagement Manager 6.1, 6.2, and Cloud 22.2 do not limit the length of a connection which could cau
IBM Sterling Partner Engagement Manager 6.1 is vulnerable to an XML External Entity Injection (XXE) attack when processi
IBM Sterling Partner Engagement Manager 2.0 does not invalidate session after logout which could allow an authenticated
IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and 6.2.2 is vulnerable to stored cross-site scripting. Rated medi
IBM Sterling Partner Engagement Manager 6.1, 6.2, and 6.2.1 is vulnerable to stored cross-site scripting. Rated medium s
IBM Sterling Partner Engagement Manager 6.1, 6.2, and 6.2.1 is vulnerable to cross-site scripting. Rated medium severity
IBM Sterling Partner Engagement Manager versions 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 contain an informat
Same weakness CWE-324 – Use of a Key Past its Expiration Date
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-208649