Cyber Resilience

CVE-2025-13723

Medium

Published: 13 March 2026

Published
13 March 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0002 4.7th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-13723 is a medium-severity Use of a Key Past its Expiration Date (CWE-324) vulnerability in Ibm Sterling Partner Engagement Manager. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2025-13723 affects IBM Sterling Partner Engagement Manager in versions 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2. The vulnerability enables an attacker to obtain sensitive user information by using an expired access token. It is linked to CWE-324 and carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), reflecting medium severity with network accessibility, low attack complexity, no privileges or user interaction needed, and low-impact confidentiality exposure.

An unauthenticated remote attacker can exploit this issue over the network with minimal effort. By leveraging an expired access token, the attacker gains read access to sensitive user information, resulting in unauthorized data disclosure without impacting integrity or availability.

IBM's security advisory, available at https://www.ibm.com/support/pages/node/7263391, provides details on the issue and recommended mitigations.

EU & UK References

Vulnerability details

IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow an attacker to obtain sensitive user information using an expired access token

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1550.001 Application Access Token Lateral Movement
Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems.
Why these techniques?

Vulnerability in public-facing app allows unauthenticated remote use of expired access tokens (CWE-324) for data access, directly mapping to public app exploitation and alternate token auth material.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-13718Same product: Ibm Sterling Partner Engagement Manager
CVE-2025-13726Same product: Ibm Sterling Partner Engagement Manager
CVE-2025-13214Same product: Linux Linux Kernel
CVE-2024-43178Same product: Linux Linux Kernel
CVE-2024-41746Same product: Linux Linux Kernel
CVE-2026-43186Same product: Linux Linux Kernel
CVE-2026-43037Same product: Linux Linux Kernel
CVE-2026-31718Same product: Linux Linux Kernel
CVE-2026-23427Same product: Linux Linux Kernel
CVE-2026-31668Same product: Linux Linux Kernel

Affected Assets

ibm
sterling partner engagement manager
6.2.3 — 6.2.3.6 · 6.2.3 — 6.2.3.6 · 6.2.4 — 6.2.4.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access decisions so that an expired token is rejected before any sensitive user data can be read.

prevent

Requires proper management of token authenticators, including mandatory expiration and invalidation after the validity period.

prevent

Forces termination of sessions/tokens once they are no longer valid, limiting the window an expired token can be misused.

References