CVE-2025-13478 Overview
A cache misconfiguration vulnerability has been identified in OpenText Identity Manager that affects both Windows and Linux platforms. This security flaw allows remote authenticated users to obtain session data belonging to other users through insecure application cache handling. The vulnerability represents a significant risk to identity management infrastructure as it could enable unauthorized access to sensitive user session information.
Critical Impact
Authenticated attackers can exploit improper cache handling to access other users' session data, potentially leading to session hijacking, unauthorized data access, and privilege escalation within the identity management system.
Affected Products
- OpenText Identity Manager 25.2 (v4.10.1)
- Identity Manager deployments on Windows platforms
- Identity Manager deployments on Linux platforms
Discovery Timeline
- 2026-03-27 - CVE-2025-13478 published to NVD
- 2026-03-30 - Last updated in NVD database
Technical Details for CVE-2025-13478
Vulnerability Analysis
This vulnerability stems from improper cache configuration within OpenText Identity Manager's session handling mechanism. When users authenticate to the Identity Manager system, their session data is stored in a shared cache. Due to the misconfiguration, the application fails to properly isolate cached session data between different authenticated users. This architectural weakness allows an authenticated attacker to retrieve session information belonging to other users who are concurrently using the system.
The vulnerability is classified under CWE-522 (Insufficiently Protected Credentials), indicating that the session data and associated credentials within the cache are not adequately protected from unauthorized access. This affects the confidentiality of user sessions and can potentially impact system integrity if session data is manipulated.
Root Cause
The root cause of CVE-2025-13478 lies in the insecure application cache handling implementation within Identity Manager. The cache mechanism fails to implement proper session isolation controls, allowing cross-user access to cached session data. This misconfiguration likely involves:
- Inadequate cache key generation that does not properly scope data to individual user sessions
- Missing access control checks when retrieving cached session objects
- Improper cache invalidation or session boundary enforcement
Attack Vector
The attack vector for this vulnerability is network-based and requires the attacker to have valid authentication credentials to the Identity Manager system. The attack flow involves:
- The attacker authenticates to the OpenText Identity Manager application using legitimate credentials
- The attacker exploits the cache misconfiguration to enumerate or directly access cached session objects
- By manipulating cache retrieval parameters or timing attacks, the attacker obtains session data belonging to other authenticated users
- The retrieved session data may include authentication tokens, user identifiers, or other sensitive information that enables session hijacking or unauthorized access
The vulnerability requires low attack complexity with no user interaction needed, making it relatively straightforward to exploit once authentication is achieved. The impact extends beyond the vulnerable component, as compromised session data could affect downstream systems and applications integrated with the Identity Manager.
Detection Methods for CVE-2025-13478
Indicators of Compromise
- Unusual patterns of cache access requests from single authenticated sessions
- Session data retrieval logs showing access to sessions not belonging to the requesting user
- Anomalous authentication patterns where users appear active from multiple disparate locations simultaneously
- Error logs indicating cache access violations or boundary exceptions
Detection Strategies
- Implement audit logging for all cache read operations within Identity Manager
- Monitor for authenticated users accessing session objects with mismatched user identifiers
- Deploy application-level intrusion detection rules to identify cache enumeration attempts
- Review Identity Manager access logs for unusual session retrieval patterns
Monitoring Recommendations
- Enable verbose logging for Identity Manager cache operations during the investigation period
- Establish baseline metrics for normal cache access patterns per authenticated user
- Configure alerts for session data access anomalies that deviate from established baselines
- Monitor network traffic for unusual API calls related to session management endpoints
How to Mitigate CVE-2025-13478
Immediate Actions Required
- Apply the Identity Manager 4.10.1 Patch 01 from OpenText/Micro Focus immediately
- Review Identity Manager deployment configurations for custom cache settings
- Conduct session audit to identify any potential unauthorized session access
- Consider temporarily restricting access to the Identity Manager system to essential users only during patching
Patch Information
OpenText has released a security patch to address this vulnerability. Detailed patch information and installation instructions are available through the official documentation:
Organizations running Identity Manager version 25.2 (v4.10.1) should apply the security patch as soon as possible following standard change management procedures.
Workarounds
- Implement network segmentation to limit access to Identity Manager to trusted network zones only
- Enable additional authentication factors for Identity Manager access to reduce the risk from compromised sessions
- Configure web application firewall rules to detect and block suspicious session-related API requests
- Reduce cache TTL (time-to-live) values to minimize the window of exposure for cached session data
- Review and restrict the number of concurrent sessions allowed per user account
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
