CVE-2025-13478 is a vulnerability classified under CWE-522 (Insufficiently Protected Credentials) affecting OpenText Identity Manager version 25.2(v4.10.1) on Windows and Linux. The root cause is a cache misconfiguration within the application that leads to insecure handling of cached session data. This misconfiguration allows remote authenticated users with low privileges to retrieve session information belonging to other users by exploiting the improperly protected application cache. The vulnerability does not require user interaction and can be triggered remotely, increasing its risk profile. The CVSS 4.0 base score is 8.4, reflecting a high severity due to the network attack vector, low attack complexity, no need for privileges beyond authentication, and no user interaction. The vulnerability primarily compromises confidentiality by exposing sensitive session data, which could lead to unauthorized access or session hijacking. Integrity and availability impacts are limited but not negligible. No public exploits have been reported yet, but the vulnerability's characteristics suggest it could be weaponized in targeted attacks. The issue affects a widely used identity management product critical for enterprise authentication and authorization workflows, making it a significant concern for organizations relying on OpenText Identity Manager for secure identity lifecycle management.

The primary impact of CVE-2025-13478 is the compromise of confidentiality through unauthorized access to other users' session data. This can lead to session hijacking, unauthorized access to sensitive resources, and potential lateral movement within an organization's network. Since the vulnerability requires only authenticated access with low privileges, attackers who have compromised or obtained valid credentials can escalate their access by exploiting this flaw. The exposure of session data can undermine trust in the identity management system, potentially leading to broader security breaches. Organizations relying on OpenText Identity Manager for critical identity and access management functions may face increased risk of data breaches, regulatory non-compliance, and reputational damage. Although no known exploits are currently in the wild, the ease of exploitation and high severity score indicate a strong potential for future attacks. The vulnerability affects both Windows and Linux deployments, broadening the scope of impacted environments globally.

1. Immediate application of vendor patches or updates once available is the most effective mitigation. Monitor OpenText advisories for official fixes. 2. Until patches are released, restrict access to the Identity Manager application to trusted networks and users only, minimizing exposure to potential attackers. 3. Implement strict session management policies, including session timeouts and re-authentication requirements, to reduce the window of opportunity for session hijacking. 4. Review and harden cache configuration settings to ensure sensitive session data is not stored insecurely or accessible across user sessions. 5. Employ network segmentation and zero-trust principles to limit lateral movement if an attacker gains authenticated access. 6. Enhance monitoring and logging of authentication and session activities to detect anomalous behavior indicative of exploitation attempts. 7. Conduct regular security assessments and penetration testing focused on identity management systems to identify similar misconfigurations. 8. Educate administrators and users about the risks of credential compromise and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the likelihood of initial credential theft.