Cyber Resilience

CVE-2025-14840

High

Published: 28 January 2026

Published
28 January 2026
Modified
06 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0008 24.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14840 is a high-severity Improper Check for Unusual or Exceptional Conditions (CWE-754) vulnerability in Bmeme Http Client Manager. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-14840 is an Improper Check for Unusual or Exceptional Conditions vulnerability (CWE-754) in the Drupal HTTP Client Manager module, enabling forceful browsing. This issue affects HTTP Client Manager versions from 0.0.0 before 9.3.13, from 10.0.0 before 10.0.2, and from 11.0.0 before 11.0.1. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high-impact denial of service potential over the network.

Remote, unauthenticated attackers can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation results in a denial of service condition with high availability impact, while confidentiality and integrity are not affected.

The Drupal security advisory at https://www.drupal.org/sa-contrib-2025-126 details the vulnerability. Mitigation requires updating to HTTP Client Manager version 9.3.13 or later (for 9.x), 10.0.2 or later (for 10.x), or 11.0.1 or later (for 11.x).

EU & UK References

Vulnerability details

Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal HTTP Client Manager allows Forceful Browsing.This issue affects HTTP Client Manager: from 0.0.0 before 9.3.13, from 10.0.0 before 10.0.2, from 11.0.0 before 11.0.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated exploitation of public-facing Drupal module via forceful browsing directly matches T1190; resulting application DoS matches T1499.004.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-45650Shared CWE-754
CVE-2026-24054Shared CWE-754
CVE-2026-4693Shared CWE-754
CVE-2026-4695Shared CWE-754
CVE-2026-0227Shared CWE-754
CVE-2026-4714Shared CWE-754
CVE-2026-2801Shared CWE-754
CVE-2026-4685Shared CWE-754
CVE-2026-4709Shared CWE-754
CVE-2025-69420Shared CWE-754

Affected Assets

bmeme
http client manager
11.0.0 · ≤ 9.3.13 · 10.0.0 — 10.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 mandates timely identification, reporting, and correction of software flaws, directly addressing this CVE by requiring patches to HTTP Client Manager versions 9.3.13, 10.0.2, or 11.0.1.

prevent

SI-11 requires secure error and exception handling to prevent denial-of-service from improper checks for unusual conditions, matching CWE-754 in the Drupal HTTP Client Manager.

prevent

SC-5 provides denial-of-service protections such as rate limiting to limit the availability impact of remote, unauthenticated exploitation of this forceful browsing vulnerability.

References