CVE-2025-13726
Published: 13 March 2026
Summary
CVE-2025-13726 is a medium-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Ibm Sterling Partner Engagement Manager. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Software (T1592.002); ranked at the 17.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and AU-13 (Monitoring for Information Disclosure).
Deeper analysis
CVE-2025-13726 is an information disclosure vulnerability (CWE-209) affecting IBM Sterling Partner Engagement Manager in versions 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2. The flaw occurs when the application returns detailed technical error messages to users, which may expose sensitive information about the system.
A remote attacker requires no privileges or user interaction to exploit this vulnerability over the network with low attack complexity. Exploitation enables the attacker to obtain sensitive information from the error messages, which could be leveraged to conduct further attacks against the system. The CVSS v3.1 base score is 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), reflecting medium severity with low confidentiality impact and no impact on integrity or availability.
IBM has published a security advisory with details on the vulnerability at https://www.ibm.com/support/pages/node/7263391.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208651
Vulnerability details
IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow a remote attacker to obtain sensitive information when detailed technical error messages are returned. This information could be used in further attacks against the system.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Verbose error messages directly disclose software details and configuration, enabling passive victim host software discovery.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires the system to handle error conditions without returning detailed technical messages that could expose sensitive information (CWE-209).
Filters outbound information to suppress sensitive details that would otherwise be leaked through application error responses.
Enables monitoring specifically for unauthorized information disclosure events such as verbose error messages revealing system details.