Cyber Resilience

CVE-2025-13726

Medium

Published: 13 March 2026

Published
13 March 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0005 17.2th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-13726 is a medium-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Ibm Sterling Partner Engagement Manager. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Software (T1592.002); ranked at the 17.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and AU-13 (Monitoring for Information Disclosure).

Deeper analysis

CVE-2025-13726 is an information disclosure vulnerability (CWE-209) affecting IBM Sterling Partner Engagement Manager in versions 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2. The flaw occurs when the application returns detailed technical error messages to users, which may expose sensitive information about the system.

A remote attacker requires no privileges or user interaction to exploit this vulnerability over the network with low attack complexity. Exploitation enables the attacker to obtain sensitive information from the error messages, which could be leveraged to conduct further attacks against the system. The CVSS v3.1 base score is 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), reflecting medium severity with low confidentiality impact and no impact on integrity or availability.

IBM has published a security advisory with details on the vulnerability at https://www.ibm.com/support/pages/node/7263391.

EU & UK References

Vulnerability details

IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow a remote attacker to obtain sensitive information when detailed technical error messages are returned. This information could be used in further attacks against the system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1592.002 Software Reconnaissance
Adversaries may gather information about the victim's host software that can be used during targeting.
Why these techniques?

Verbose error messages directly disclose software details and configuration, enabling passive victim host software discovery.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-13718Same product: Ibm Sterling Partner Engagement Manager
CVE-2025-13723Same product: Ibm Sterling Partner Engagement Manager
CVE-2025-36253Same product: Linux Linux Kernel
CVE-2024-41742Same product: Linux Linux Kernel
CVE-2025-33088Same product: Linux Linux Kernel
CVE-2025-13214Same product: Linux Linux Kernel
CVE-2024-43178Same product: Linux Linux Kernel
CVE-2024-41746Same product: Linux Linux Kernel
CVE-2025-13219Same product: Linux Linux Kernel
CVE-2024-51476Same product: Linux Linux Kernel

Affected Assets

ibm
sterling partner engagement manager
6.2.3 — 6.2.3.6 · 6.2.3 — 6.2.3.6 · 6.2.4 — 6.2.4.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires the system to handle error conditions without returning detailed technical messages that could expose sensitive information (CWE-209).

prevent

Filters outbound information to suppress sensitive details that would otherwise be leaked through application error responses.

detect

Enables monitoring specifically for unauthorized information disclosure events such as verbose error messages revealing system details.

References