CVE-2025-14840
Published: 28 January 2026
Summary
CVE-2025-14840 is a high-severity Improper Check for Unusual or Exceptional Conditions (CWE-754) vulnerability in Bmeme Http Client Manager. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-14840 is an Improper Check for Unusual or Exceptional Conditions vulnerability (CWE-754) in the Drupal HTTP Client Manager module, enabling forceful browsing. This issue affects HTTP Client Manager versions from 0.0.0 before 9.3.13, from 10.0.0 before 10.0.2, and from 11.0.0 before 11.0.1. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high-impact denial of service potential over the network.
Remote, unauthenticated attackers can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation results in a denial of service condition with high availability impact, while confidentiality and integrity are not affected.
The Drupal security advisory at https://www.drupal.org/sa-contrib-2025-126 details the vulnerability. Mitigation requires updating to HTTP Client Manager version 9.3.13 or later (for 9.x), 10.0.2 or later (for 10.x), or 11.0.1 or later (for 11.x).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206433
Vulnerability details
Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal HTTP Client Manager allows Forceful Browsing.This issue affects HTTP Client Manager: from 0.0.0 before 9.3.13, from 10.0.0 before 10.0.2, from 11.0.0 before 11.0.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of public-facing Drupal module via forceful browsing directly matches T1190; resulting application DoS matches T1499.004.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 mandates timely identification, reporting, and correction of software flaws, directly addressing this CVE by requiring patches to HTTP Client Manager versions 9.3.13, 10.0.2, or 11.0.1.
SI-11 requires secure error and exception handling to prevent denial-of-service from improper checks for unusual conditions, matching CWE-754 in the Drupal HTTP Client Manager.
SC-5 provides denial-of-service protections such as rate limiting to limit the availability impact of remote, unauthenticated exploitation of this forceful browsing vulnerability.