HIGHCVE-2025-13096CVSS 7.1

CVE-2025-13096: XXE Injection in IBM Business Automation Workflow

Platform

ibm

Component

ibm-business-automation-workflow

Fixed in

25.0.1

24.0.2

24.0.1

25.0.1

24.0.2

24.0.1

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026

View on NVD

Save

CVE-2025-13096 describes an XML external entity injection (XXE) vulnerability present in IBM Business Automation Workflow. This flaw allows a remote attacker to potentially expose sensitive information or exhaust memory resources by manipulating XML data processing. The vulnerability impacts versions 24.0.0 through 25.0.0-IF002, and a fix is available in version 25.0.1.

Impact and Attack Scenarios

Successful exploitation of CVE-2025-13096 could lead to significant data breaches. An attacker could craft malicious XML payloads to read arbitrary files on the server, potentially exposing configuration files, database credentials, or other sensitive data. Beyond data exfiltration, the XXE attack can be leveraged for denial-of-service (DoS) by consuming excessive memory resources, rendering the Business Automation Workflow instance unavailable. The impact is particularly severe in environments where Business Automation Workflow handles sensitive business processes or integrates with critical systems.

Exploitation Context

This vulnerability was publicly disclosed on 2026-02-02. The CVSS score of 7.1 (HIGH) indicates a significant risk. No public proof-of-concept exploits have been observed as of this writing, but the XXE vulnerability class is well-understood and readily exploitable. It is recommended to prioritize remediation due to the potential for data exposure and DoS.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.07% (22% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impactpartial

CVSS Vector

Affected Software

Componentibm-business-automation-workflow

VendorIBM

Affected rangeFixed in

V25.0.0 – V25.0.0-IF00225.0.1

V24.0.1 – V24.0.1-IF00524.0.2

V24.0.0 – V24.0.0-IF00724.0.1

25.0.0 – 25.0.025.0.1

24.0.1 – 24.0.124.0.2

24.0.0 – 24.0.024.0.1

Weakness Classification (CWE)

CWE-918

Timeline

Reserved2025-11-12
Published2026-02-02
Modified2026-02-03
EPSS updated2026-03-23

Mitigation and Workarounds

The primary mitigation for CVE-2025-13096 is to upgrade to IBM Business Automation Workflow version 25.0.1 or later. If immediate upgrading is not feasible, consider implementing input validation and sanitization on all XML data processed by the system. Configure your WAF to block XML requests containing suspicious external entity declarations. Review and restrict file access permissions to minimize the potential impact of a successful XXE attack. After upgrading, confirm the fix by attempting to trigger an XXE payload and verifying that it is properly blocked.

How to fix

Update IBM Business Automation Workflow to a version later than V25.0.0-IF007, V24.0.1-IF007 or V24.0.0-IF007. Refer to the IBM advisory for more details on specific versions and available patches. Apply the security updates provided by IBM as soon as possible.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-13096 — XXE Injection in IBM Business Automation Workflow?

CVE-2025-13096 is a vulnerability allowing attackers to inject external entities into XML processing, potentially exposing sensitive data or causing denial-of-service in IBM Business Automation Workflow.

Am I affected by CVE-2025-13096 in IBM Business Automation Workflow?

You are affected if you are running IBM Business Automation Workflow versions 24.0.0–V25.0.0-IF002. Check your version and upgrade accordingly.

How do I fix CVE-2025-13096 in IBM Business Automation Workflow?

Upgrade to version 25.0.1 or later. As a temporary workaround, implement strict input validation and sanitization for XML data.

Is CVE-2025-13096 being actively exploited?

While no public exploits are currently known, the vulnerability is well-understood and poses a significant risk. Proactive remediation is recommended.

Where can I find the official IBM advisory for CVE-2025-13096?

Refer to the official IBM Security Bulletin for details: [https://www.ibm.com/support/kbdoc/firstdoc?docid=instance/baw/20260202/2](https://www.ibm.com/support/kbdoc/firstdoc?docid=instance/baw/20260202/2)

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Search CVEs

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: None — no integrity impact. Attacker cannot modify data.
Availability: Low — partial or intermittent denial of service. Attacker can degrade performance.