Cyber Resilience

CVE-2025-13219

Medium

Published: 10 March 2026

Published
10 March 2026
Modified
12 March 2026
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0001 2.8th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-13219 is a medium-severity Use of HTTP Request With Sensitive Query String (CWE-598) vulnerability in Ibm Aspera Orchestrator. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-8 (Transmission Confidentiality and Integrity).

Deeper analysis

CVE-2025-13219 is a vulnerability in IBM Aspera Orchestrator versions 3.0.0 through 4.1.2, where sensitive information is stored in URL parameters. This flaw, classified under CWE-598, can result in information disclosure if unauthorized parties access the URLs through mechanisms such as server logs, referrer headers, or browser history. The issue received a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) and was published on 2026-03-10.

The vulnerability can be exploited over the network by attackers requiring no privileges or user interaction, though it demands high attack complexity. Successful exploitation enables remote attackers to disclose sensitive information from the affected URLs, achieving high confidentiality impact without affecting integrity or availability.

IBM has issued an advisory providing details on this vulnerability at https://www.ibm.com/support/pages/node/7263083.

EU & UK References

Vulnerability details

IBM Aspera Orchestrator 3.0.0 through 4.1.2 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

URL parameter exposure of sensitive data (CWE-598) directly enables access to unsecured credentials or tokens via logs/referrers/history.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-13214Same product: Ibm Aspera Orchestrator
CVE-2025-36253Same product: Linux Linux Kernel
CVE-2024-43178Same product: Linux Linux Kernel
CVE-2024-57905Same product: Linux Linux Kernel
CVE-2024-41742Same product: Linux Linux Kernel
CVE-2025-33088Same product: Linux Linux Kernel
CVE-2025-13718Same product: Linux Linux Kernel
CVE-2024-41746Same product: Linux Linux Kernel
CVE-2024-51476Same product: Linux Linux Kernel
CVE-2024-41743Same product: Linux Linux Kernel

Affected Assets

ibm
aspera orchestrator
3.0.0 — 4.1.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces information flow rules that prohibit placing sensitive data in URL parameters where it can be captured in logs, referrers, or history.

prevent

Requires confidentiality protection for transmitted data, discouraging or blocking exposure of sensitive values via query strings.

prevent

Filters sensitive information from outputs such as URLs before they are generated or logged.

References