CVE-2025-13723
Published: 13 March 2026
Summary
CVE-2025-13723 is a medium-severity Use of a Key Past its Expiration Date (CWE-324) vulnerability in Ibm Sterling Partner Engagement Manager. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2025-13723 affects IBM Sterling Partner Engagement Manager in versions 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2. The vulnerability enables an attacker to obtain sensitive user information by using an expired access token. It is linked to CWE-324 and carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), reflecting medium severity with network accessibility, low attack complexity, no privileges or user interaction needed, and low-impact confidentiality exposure.
An unauthenticated remote attacker can exploit this issue over the network with minimal effort. By leveraging an expired access token, the attacker gains read access to sensitive user information, resulting in unauthorized data disclosure without impacting integrity or availability.
IBM's security advisory, available at https://www.ibm.com/support/pages/node/7263391, provides details on the issue and recommended mitigations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208649
Vulnerability details
IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow an attacker to obtain sensitive user information using an expired access token
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing app allows unauthenticated remote use of expired access tokens (CWE-324) for data access, directly mapping to public app exploitation and alternate token auth material.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access decisions so that an expired token is rejected before any sensitive user data can be read.
Requires proper management of token authenticators, including mandatory expiration and invalidation after the validity period.
Forces termination of sessions/tokens once they are no longer valid, limiting the window an expired token can be misused.