CVE-2025-13219
Published: 10 March 2026
Summary
CVE-2025-13219 is a medium-severity Use of HTTP Request With Sensitive Query String (CWE-598) vulnerability in Ibm Aspera Orchestrator. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-8 (Transmission Confidentiality and Integrity).
Deeper analysis
CVE-2025-13219 is a vulnerability in IBM Aspera Orchestrator versions 3.0.0 through 4.1.2, where sensitive information is stored in URL parameters. This flaw, classified under CWE-598, can result in information disclosure if unauthorized parties access the URLs through mechanisms such as server logs, referrer headers, or browser history. The issue received a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) and was published on 2026-03-10.
The vulnerability can be exploited over the network by attackers requiring no privileges or user interaction, though it demands high attack complexity. Successful exploitation enables remote attackers to disclose sensitive information from the affected URLs, achieving high confidentiality impact without affecting integrity or availability.
IBM has issued an advisory providing details on this vulnerability at https://www.ibm.com/support/pages/node/7263083.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208510
Vulnerability details
IBM Aspera Orchestrator 3.0.0 through 4.1.2 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
URL parameter exposure of sensitive data (CWE-598) directly enables access to unsecured credentials or tokens via logs/referrers/history.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces information flow rules that prohibit placing sensitive data in URL parameters where it can be captured in logs, referrers, or history.
Requires confidentiality protection for transmitted data, discouraging or blocking exposure of sensitive values via query strings.
Filters sensitive information from outputs such as URLs before they are generated or logged.