CVE-2025-13219

Medium

Published: 10 March 2026

Published

10 March 2026

Modified

12 March 2026

KEV Added

—

Patch

—

CVSS Score 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0001 2.5th percentile

Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-13219 is a medium-severity Use of GET Request Method With Sensitive Query Strings (CWE-598) vulnerability in Ibm Aspera Orchestrator. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 2.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Unsecured Credentials (T1552).

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-9 Transmission Confidentiality

addresses: CWE-598

Protects sensitive data placed in query strings from interception in transit when confidentiality controls like HTTPS are enforced.

MITRE ATT&CK Enterprise TechniquesAI

T1552 Unsecured Credentials Credential Access

Adversaries may search compromised systems to find and obtain insecurely stored credentials.

attack.mitre.org →

Why these techniques?

URL parameter exposure of sensitive data (CWE-598) directly enables access to unsecured credentials or tokens via logs/referrers/history.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

IBM Aspera Orchestrator 3.0.0 through 4.1.2 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history.

Deeper analysisAI

CVE-2025-13219 is a vulnerability in IBM Aspera Orchestrator versions 3.0.0 through 4.1.2, where sensitive information is stored in URL parameters. This flaw, classified under CWE-598, can result in information disclosure if unauthorized parties access the URLs through mechanisms such as server logs, referrer headers, or browser history. The issue received a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) and was published on 2026-03-10.

The vulnerability can be exploited over the network by attackers requiring no privileges or user interaction, though it demands high attack complexity. Successful exploitation enables remote attackers to disclose sensitive information from the affected URLs, achieving high confidentiality impact without affecting integrity or availability.

IBM has issued an advisory providing details on this vulnerability at https://www.ibm.com/support/pages/node/7263083.

Details

CWE(s): CWE-598

Affected Products

ibm

aspera orchestrator

3.0.0 — 4.1.3

CVEs Like This One

CVE-2025-13214Same product: Ibm Aspera Orchestrator

CVE-2025-36253Same product: Linux Linux Kernel

CVE-2024-57905Same product: Linux Linux Kernel

CVE-2024-41742Same product: Linux Linux Kernel

CVE-2024-45643Same product: Linux Linux Kernel

CVE-2025-13726Same product: Linux Linux Kernel

CVE-2025-33088Same product: Linux Linux Kernel

CVE-2025-13723Same product: Linux Linux Kernel

CVE-2024-43178Same product: Linux Linux Kernel

CVE-2025-13718Same product: Linux Linux Kernel

References

https://www.ibm.com/support/pages/node/7263083
Vendor Advisory · psirt@us.ibm.com