Cyber Resilience

CVE-2025-13096

High

Published: 02 February 2026

Published
02 February 2026
Modified
12 February 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
EPSS Score 0.0010 27.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-13096 is a high-severity SSRF (CWE-918) vulnerability in Ibm Business Automation Workflow. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2025-13096 is an XML external entity injection (XXE) vulnerability, classified under CWE-918, affecting specific versions of IBM Business Automation Workflow. The impacted software includes IBM Business Automation Workflow containers from V25.0.0 through V25.0.0-IF007, V24.0.1 through V24.0.1-IF007, and V24.0.0 through V24.0.0-IF007, as well as IBM Business Automation Workflow traditional deployments at V25.0.0, V24.0.1, and V24.0.0. The flaw arises when the software processes XML data, enabling potential exploitation as scored at CVSS 7.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L).

A remote attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity and no user interaction required. Successful exploitation allows the attacker to disclose sensitive information due to the high confidentiality impact (C:H) or cause limited denial of service through memory resource consumption (A:L), with no integrity impact.

IBM's security advisory provides details on mitigation and patches; refer to https://www.ibm.com/support/pages/node/7259321 for remediation guidance specific to the affected versions.

EU & UK References

Vulnerability details

IBM Business Automation Workflow containers V25.0.0 through V25.0.0-IF007, V24.0.1 - V24.0.1-IF007, V24.0.0 - V24.0.0-IF007 and IBM Business Automation Workflow traditional V25.0.0, V24.0.1, V24.0.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker…

more

could exploit this vulnerability to expose sensitive information or consume memory resources.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

XXE directly enables remote exploitation of a public-facing workflow app (T1190) for local file/system data disclosure (T1005) and limited DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-1343Same vendor: Ibm
CVE-2026-1567Same vendor: Ibm
CVE-2025-0162Same vendor: Ibm
CVE-2024-45652Same vendor: Ibm
CVE-2025-13616Same vendor: Ibm
CVE-2024-41771Same vendor: Ibm
CVE-2024-56340Same vendor: Ibm
CVE-2025-12531Same vendor: Ibm
CVE-2023-49886Same vendor: Ibm
CVE-2024-39750Same vendor: Ibm

Affected Assets

ibm
business automation workflow
24.0.0, 24.0.1, 25.0.0 · ≤ 24.0.0 · ≤ 24.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of XML input to reject external entity declarations, blocking the XXE attack vector in IBM Business Automation Workflow's XML processing.

prevent

Boundary protection rules can deny the outbound network requests that XXE uses to retrieve external entities, limiting information disclosure and resource exhaustion.

detect

System monitoring can identify anomalous XML parsing behavior or memory spikes indicative of successful XXE exploitation against the workflow containers.

References