CVE-2025-13490

Received Received - Intake

Cleartext Data Transmission Vulnerability in IBM App Connect Containers

Publication date: 2026-03-03

Last updated on: 2026-03-04

Assigner: IBM Corporation

Description

IBM App Connect Operator versions CD 11.3.0 through 11.6.0 and 12.1.0 through 12.20.0, LTS versions 12.0.0 through 12.0.20, and IBM App Connect Enterprise Certified Containers Operands versions CD 12.0.11.2‑r1 through 12.0.12.5‑r1 and 13.0.1.0‑r1 through 13.0.6.1‑r1, and LTS versions 12.0.12‑r1 through 12.0.12‑r20, contain a vulnerability in which the IBM App Connect Enterprise Certified Container transmits data in clear text, potentially allowing an attacker to intercept and obtain sensitive information through man‑in‑the‑middle techniques.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-03

Last Modified

2026-03-04

Generated

2026-06-16

AI Q&A

2026-03-03

EPSS Evaluated

2026-06-15

NVD

CVE-2025-13490

EUVD

EUVD-2025-208249

Affected Vendors & Products

Vendor	Product	Version / Range
ibm	app_connect_enterprise_certified_containers_operands	12.0.12.5
ibm	app_connect_enterprise_certified_containers_operands	13.0.1.0
ibm	app_connect_enterprise_certified_containers_operands	13.0.2.1
ibm	app_connect_enterprise_certified_containers_operands	12.0.11.2
ibm	app_connect_enterprise_certified_containers_operands	12.0.11.3
ibm	app_connect_enterprise_certified_containers_operands	12.0.12
ibm	app_connect_enterprise_certified_containers_operands	12.0.12
ibm	app_connect_enterprise_certified_containers_operands	12.0.12.0
ibm	app_connect_enterprise_certified_containers_operands	12.0.12.0
ibm	app_connect_enterprise_certified_containers_operands	12.0.12.2
ibm	app_connect_enterprise_certified_containers_operands	12.0.12.3
ibm	app_connect_enterprise_certified_containers_operands	12.0.12.4
ibm	app_connect_enterprise_certified_containers_operands	13.0.2.2
ibm	app_connect_enterprise_certified_containers_operands	13.0.1.0
ibm	app_connect_enterprise_certified_containers_operands	13.0.1.1
ibm	app_connect_enterprise_certified_containers_operands	13.0.2.0
ibm	app_connect_enterprise_certified_containers_operands	13.0.2.2
ibm	app_connect_enterprise_certified_containers_operands	13.0.3.0
ibm	app_connect_enterprise_certified_containers_operands	13.0.3.1
ibm	app_connect_enterprise_certified_containers_operands	13.0.4.0
ibm	app_connect_enterprise_certified_containers_operands	13.0.4.1
ibm	app_connect_enterprise_certified_containers_operands	12.0.12
ibm	app_connect_enterprise_certified_containers_operands	12.0.12
ibm	app_connect_enterprise_certified_containers_operands	12.0.12
ibm	app_connect_enterprise_certified_containers_operands	12.0.12
ibm	app_connect_enterprise_certified_containers_operands	12.0.12
ibm	app_connect_enterprise_certified_containers_operands	12.0.12
ibm	app_connect_enterprise_certified_containers_operands	12.0.12
ibm	app_connect_enterprise_certified_containers_operands	12.0.12
ibm	app_connect_enterprise_certified_containers_operands	12.0.12
ibm	app_connect_enterprise_certified_containers_operands	12.0.12
ibm	app_connect_enterprise_certified_containers_operands	12.0.12
ibm	app_connect_enterprise_certified_containers_operands	12.0.12
ibm	app_connect_enterprise_certified_containers_operands	12.0.12
ibm	app_connect_enterprise_certified_containers_operands	12.0.12
ibm	app_connect_enterprise_certified_containers_operands	12.0.12
ibm	app_connect_enterprise_certified_containers_operands	12.0.12
ibm	app_connect_enterprise_certified_containers_operands	12.0.12
ibm	app_connect_enterprise_certified_containers_operands	12.0.12
ibm	app_connect_enterprise_certified_containers_operands	13.0.4.2
ibm	app_connect_enterprise_certified_containers_operands	13.0.5.0
ibm	app_connect_enterprise_certified_containers_operands	13.0.5.1
ibm	app_connect_enterprise_certified_containers_operands	13.0.5.2
ibm	app_connect_enterprise_certified_containers_operands	13.0.6.0
ibm	app_connect_enterprise_certified_containers_operands	13.0.6.1
ibm	app_connect_operator	From 11.3.0 (inc) to 11.6.0 (inc)
ibm	app_connect_operator	From 12.1.0 (inc) to 12.20.1 (inc)
ibm	app_connect_operator	From 12.0.0 (inc) to 12.0.20 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-319	The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Attack-Flow Graph

Compliance Impact

I don't know

Executive Summary

CVE-2025-13490 is a vulnerability in IBM App Connect Enterprise Certified Container products where data is transmitted in clear text. This means that sensitive information sent by the container to a Prometheus instance within an OpenShift cluster is not encrypted.

Because the data is unencrypted, an attacker could potentially intercept this information using man-in-the-middle (MITM) techniques, leading to a loss of confidentiality.

Impact Analysis

This vulnerability can impact you by exposing sensitive data transmitted by IBM App Connect Enterprise Certified Container to interception by attackers.

Attackers can perform man-in-the-middle attacks to capture unencrypted metrics data.
This leads to a confidentiality breach, potentially exposing sensitive information.

The vulnerability has a CVSS v3.1 base score of 5.9, indicating a medium severity with high confidentiality impact but no impact on integrity or availability.

Detection Guidance

The vulnerability involves IBM App Connect Enterprise Certified Container transmitting metrics data in clear text over the network, which can be intercepted via man-in-the-middle attacks.

To detect this vulnerability on your network or system, you can monitor network traffic for unencrypted Prometheus metrics data being sent from IBM App Connect Enterprise Certified Container components within an OpenShift cluster.

Commands to help detect this include using network packet capture tools such as tcpdump or Wireshark to inspect traffic on the relevant ports (typically Prometheus metrics ports, e.g., 9090 or custom configured ports). For example:

tcpdump -i <interface> port 9090 -w capture.pcap
Followed by analyzing the capture with Wireshark to check if the metrics data is transmitted in clear text (unencrypted HTTP rather than HTTPS).

Additionally, checking the configuration of the IBM App Connect Enterprise Certified Container Operator and its components to verify if metrics reporting is enabled and whether encryption is configured can help identify vulnerable setups.

Mitigation Strategies

The primary mitigation for this vulnerability is to upgrade affected IBM App Connect Operator and IBM App Connect Enterprise Certified Container components to fixed versions that address the issue.

For Continuous Delivery (CD) versions up to 12.20.1, upgrade the App Connect Enterprise Certified Container Operator to version 12.21.0 or higher.
Ensure all DesignerAuthoring, IntegrationServer, and IntegrationRuntime components are upgraded to version 13.0.6.2-r1 or higher.
For Long Term Support (LTS) versions 12.0.x, upgrade the App Connect Enterprise Certified Container Operator to version 12.0.21 or higher.
Ensure all DesignerAuthoring, IntegrationServer, and IntegrationRuntime components are upgraded to version 12.0.12-r21 or higher.

No workarounds or alternative mitigations are provided, so upgrading to the fixed versions is the recommended immediate action.

Hi! I’m here to help you understand CVE-2025-13490. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2025-13490

Cleartext Data Transmission Vulnerability in IBM App Connect Containers

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart