CVE-2025-14604
Published: 03 March 2026
Summary
CVE-2025-14604 is a medium-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Ibm Storage Scale. Its CVSS base score is 6.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Procedures support proper permission assignment for critical resources through documented controls.
Attribute management for resources provides a mechanism to assign and maintain correct permissions based on security labels.
Prevents overly permissive assignments to critical resources by limiting to task needs.
Training policy covers correct permission assignment, reducing the ability to exploit incorrect permission assignments for critical resources.
Training on permission management reduces incorrect permission assignments for critical resources.
Audit logs and logging tools are critical resources whose protection requires correct permission assignments to block unauthorized actions.
Assessments review permission assignments on critical resources to confirm correctness, mitigating exploitation via incorrect permissions.
Certification includes checking that permissions on critical resources are correctly assigned.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Incorrect permission assignment (CWE-732) allows low-privileged local users to trigger elevated execution of resources, directly enabling local privilege escalation.
NVD Description
IBM Storage Scale IBM S through rage Scale 5.2.3.0 - 5.2.3.5, and IBM S through rage Scale 6.0.0.0 - 6.0.0.1 could allow a local user to unintentionally trigger additional permissions for resources in a way that allows that resource to…
more
be executed by unintended actors.
Deeper analysisAI
CVE-2025-14604 is a vulnerability in IBM Storage Scale (versions 5.2.3.0 through 5.2.3.5 and 6.0.0.0 through 6.0.0.1) stemming from incorrect permission assignment (CWE-732). It allows a local user to unintentionally trigger additional permissions for resources, enabling those resources to be executed by unintended actors. The issue has a CVSS v3.1 base score of 6.6 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N), indicating medium severity with high impacts on confidentiality and integrity but no availability disruption.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity, though it requires user interaction (UI:R). Successful exploitation enables the attacker to execute resources with elevated permissions unintended for their access level, potentially leading to unauthorized data access (high confidentiality impact) and modification (high integrity impact).
IBM has published an advisory with details on mitigation and patches at https://www.ibm.com/support/pages/node/7262312. Security practitioners should consult this reference for version-specific remediation steps.
Details
- CWE(s)