Description
IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow an attacker to obtain sensitive user information using an expired access token
Published: 2026-03-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The vulnerability in IBM Sterling Partner Engagement Manager allows an attacker to retrieve sensitive user information by exploiting an expired access token. Key detail from vendor description: "IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow an attacker to obtain sensitive user information using an expired access token." This improper token validation is an instance of Improper Authentication (CWE‑324) that can lead to information disclosure and compromise data confidentiality.

Affected Systems

IBM Sterling Partner Engagement Manager Essentials Edition and Standard Edition are affected. Key detail from vendor advisory: affected versions are 6.2.3.0–6.2.3.5 and 6.2.4.0–6.2.4.2. Remediated versions are 6.2.3.6 for Essentials and 6.2.4.3 for Standard.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity, and the EPSS score is below 1%, suggesting low current exploitation likelihood. Vendor advisory notes that this vulnerability is not listed in the KEV catalog. The flaw requires access to an expired token, which could be obtained through authentication flows or configuration errors; the description does not detail any additional prerequisites, so the attack vector is inferred to be reachable to either internal or external actors with token access.

Generated by OpenCVE AI on March 18, 2026 at 20:52 UTC.

Remediation

Vendor Solution

Remediation/Fixes IBM strongly recommends addressing the vulnerability now by upgrading, Product(s) Affected Version Range Remediated Version Instructions / Download IBM Sterling Partner Engagement Manager Essentials Edition 6.2.3.0 – 6.2.3.5 6.2.3.6 Download 6.2.3.6 IBM Sterling Partner Engagement Manager Essentials Edition 6.2.4.0 – 6.2.4.2 6.2.4.3 Download 6.2.4.3 IBM Sterling Partner Engagement Manager Standard Edition 6.2.3.0 – 6.2.3.5 6.2.3.6 Download 6.2.3.6 IBM Sterling Partner Engagement Manager Standard Edition 6.2.4.0 – 6.2.4.2 6.2.4.3 Download 6.2.4.3

OpenCVE Recommended Actions

  • Determine whether your deployment is the Essentials or Standard Edition and note the current version.
  • Apply the vendor-supplied upgrade as specified in the advisory: upgrade to 6.2.3.6 for Essentials or 6.2.4.3 for Standard, which contain the remediation for the expired token flaw.
  • Back up configuration and data prior to applying the update, following best‑practice procedures for critical applications.
  • After the update, verify that expired tokens can no longer be used to retrieve sensitive user information by performing token validation tests.

Generated by OpenCVE AI on March 18, 2026 at 20:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:a:ibm:sterling_partner_engagement_manager:*:*:*:*:essentials:*:*:*
cpe:2.3:a:ibm:sterling_partner_engagement_manager:*:*:*:*:standard:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel

Fri, 13 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow an attacker to obtain sensitive user information using an expired access token
Title IBM Sterling Partner Engagement Manager Information Disclosure
First Time appeared Ibm
Ibm sterling Partner Engagement Manager
Weaknesses CWE-324
CPEs cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.0:*:*:*:essentials:*:*:*
cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.0:*:*:*:standard:*:*:*
cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.5:*:*:*:essentials:*:*:*
cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.3.5:*:*:*:standard:*:*:*
cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.0:*:*:*:essentials:*:*:*
cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.0:*:*:*:standard:*:*:*
cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.2:*:*:*:essentials:*:*:*
cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.4.2:*:*:*:standard:*:*:*
Vendors & Products Ibm
Ibm sterling Partner Engagement Manager
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Ibm Sterling Partner Engagement Manager
Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-03-13T19:34:50.670Z

Reserved: 2025-11-25T22:23:37.869Z

Link: CVE-2025-13723

cve-icon Vulnrichment

Updated: 2026-03-13T19:34:46.223Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-13T19:53:48.673

Modified: 2026-03-18T19:18:28.380

Link: CVE-2025-13723

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:40:29Z

Weaknesses