CVE-2025-13723

Medium

Published: 13 March 2026

Published

13 March 2026

Modified

18 March 2026

KEV Added

—

Patch

—

CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Score 0.0002 4.2th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-13723 is a medium-severity Use of a Key Past its Expiration Date (CWE-324) vulnerability in Ibm Sterling Partner Engagement Manager. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-12 Cryptographic Key Establishment and Management

addresses: CWE-324

Key-management requirements enforce lifecycle controls that prevent continued use of expired or superseded keys.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1550.001 Application Access Token Lateral Movement

Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems.

attack.mitre.org →

Why these techniques?

Vulnerability in public-facing app allows unauthenticated remote use of expired access tokens (CWE-324) for data access, directly mapping to public app exploitation and alternate token auth material.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow an attacker to obtain sensitive user information using an expired access token

Deeper analysisAI

CVE-2025-13723 affects IBM Sterling Partner Engagement Manager in versions 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2. The vulnerability enables an attacker to obtain sensitive user information by using an expired access token. It is linked to CWE-324 and carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), reflecting medium severity with network accessibility, low attack complexity, no privileges or user interaction needed, and low-impact confidentiality exposure.

An unauthenticated remote attacker can exploit this issue over the network with minimal effort. By leveraging an expired access token, the attacker gains read access to sensitive user information, resulting in unauthorized data disclosure without impacting integrity or availability.

IBM's security advisory, available at https://www.ibm.com/support/pages/node/7263391, provides details on the issue and recommended mitigations.

Details

CWE(s): CWE-324

Affected Products

ibm

sterling partner engagement manager

6.2.3 — 6.2.3.6 · 6.2.3 — 6.2.3.6 · 6.2.4 — 6.2.4.3

CVEs Like This One

CVE-2025-13726Same product: Ibm Sterling Partner Engagement Manager

CVE-2025-13718Same product: Ibm Sterling Partner Engagement Manager

CVE-2025-13214Same product: Linux Linux Kernel

CVE-2026-43055Same product: Linux Linux Kernel

CVE-2026-22984Same product: Linux Linux Kernel

CVE-2026-31649Same product: Linux Linux Kernel

CVE-2026-43037Same product: Linux Linux Kernel

CVE-2026-23427Same product: Linux Linux Kernel

CVE-2026-31668Same product: Linux Linux Kernel

CVE-2026-31718Same product: Linux Linux Kernel

References

https://www.ibm.com/support/pages/node/7263391
Vendor Advisory · psirt@us.ibm.com