CVE-2025-13726
Published: 13 March 2026
Summary
CVE-2025-13726 is a medium-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Ibm Sterling Partner Engagement Manager. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Software (T1592.002); ranked at the 16.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Detects error messages that leak sensitive information as evidence of disclosure.
The control directly mitigates generation of error messages containing sensitive authentication details by requiring obscured feedback instead of verbose responses.
Misdirection allows generation of misleading error messages that withhold or falsify sensitive details.
Explicitly requires error messages to avoid including sensitive or exploitable details while still supporting corrective action.
Validation ensures error messages contain only expected, non-sensitive content and blocks leakage via verbose errors.
Fail-safe procedures can be defined to suppress or sanitize error output, reducing generation of messages that contain sensitive information.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Verbose error messages directly disclose software details and configuration, enabling passive victim host software discovery.
NVD Description
IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow a remote attacker to obtain sensitive information when detailed technical error messages are returned. This information could be used in further attacks against the system.
Deeper analysisAI
CVE-2025-13726 is an information disclosure vulnerability (CWE-209) affecting IBM Sterling Partner Engagement Manager in versions 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2. The flaw occurs when the application returns detailed technical error messages to users, which may expose sensitive information about the system.
A remote attacker requires no privileges or user interaction to exploit this vulnerability over the network with low attack complexity. Exploitation enables the attacker to obtain sensitive information from the error messages, which could be leveraged to conduct further attacks against the system. The CVSS v3.1 base score is 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), reflecting medium severity with low confidentiality impact and no impact on integrity or availability.
IBM has published a security advisory with details on the vulnerability at https://www.ibm.com/support/pages/node/7263391.
Details
- CWE(s)