CVE-2025-13691 is a vulnerability classified under CWE-497, indicating exposure of sensitive system information to an unauthorized control sphere. Specifically, IBM DataStage on Cloud Pak for Data versions 5.1.2 through 5.3.0 improperly include sensitive information in HTTP responses. This leakage can be leveraged by an attacker with low privileges (requiring only limited authentication) to impersonate other users within the system, potentially gaining unauthorized access to data and functions. The vulnerability has a CVSS 3.1 base score of 8.1, reflecting high severity due to its impact on confidentiality and integrity without requiring user interaction. The attack vector is network-based, with low attack complexity, meaning an attacker can exploit this remotely with minimal effort once authenticated. Although no public exploits have been reported, the nature of the vulnerability poses a significant risk to organizations relying on IBM DataStage for data integration and ETL processes within Cloud Pak for Data environments. The flaw could facilitate lateral movement, privilege escalation, or unauthorized data access, undermining trust in data processing pipelines.

The vulnerability could lead to unauthorized disclosure of sensitive information, enabling attackers to impersonate legitimate users and access or manipulate critical data integration workflows. This compromises confidentiality and integrity of enterprise data, potentially leading to data breaches, regulatory non-compliance, and operational disruptions. Organizations relying on IBM DataStage for critical ETL and data orchestration tasks may face significant risks including exposure of proprietary or personal data, loss of data integrity, and erosion of trust in data governance. The absence of impact on availability means systems remain operational but compromised. The ease of exploitation and network accessibility increase the likelihood of targeted attacks, especially in environments where multiple users share access or where credentials are reused or weak. The vulnerability could also facilitate further attacks within the network by enabling impersonation and privilege escalation.

Organizations should immediately assess their IBM DataStage on Cloud Pak for Data deployments to identify affected versions (5.1.2 through 5.3.0). Although no official patches are listed, it is critical to monitor IBM security advisories for forthcoming updates and apply them promptly once available. In the interim, restrict network access to the DataStage management interfaces using network segmentation, firewalls, and VPNs to limit exposure to trusted users only. Implement strict access controls and multi-factor authentication to reduce the risk of unauthorized access. Conduct thorough audits of user privileges and session management to detect and prevent impersonation attempts. Employ web application firewalls (WAFs) to detect anomalous HTTP responses and block suspicious activities. Additionally, monitor logs for unusual authentication or access patterns indicative of exploitation attempts. Educate administrators and users about the risks and ensure rapid incident response capabilities are in place.