CVE-2025-14914
Published: 02 February 2026
Summary
CVE-2025-14914 is a high-severity Path Traversal (CWE-22) vulnerability in Ibm Websphere Application Server. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-14914 is a path traversal vulnerability (CWE-22) affecting IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.1. Published on 2026-02-02, it allows a privileged user to upload a zip archive containing path traversal sequences, which can overwrite arbitrary files on the server and lead to arbitrary code execution. The vulnerability has a CVSS v3.1 base score of 7.6 (AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts with a changed scope.
Exploitation requires a high-privileged remote attacker (PR:H) who can interact with the server over the network (AV:N). The attack demands high attack complexity (AC:H) and user interaction (UI:R), such as an administrator approving or performing the upload of a specially crafted zip archive. Successful exploitation enables file overwrites outside the intended directory, culminating in arbitrary code execution on the server.
IBM has published a security advisory at https://www.ibm.com/support/pages/node/7258224, which provides details on the vulnerability, affected versions, and recommended mitigations or patches. Security practitioners should consult this advisory for specific remediation steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206602
Vulnerability details
IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.1 could allow a privileged user to upload a zip archive containing path traversal sequences resulting in an overwrite of files leading to arbitrary code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in zip upload to public-facing WebSphere app directly enables remote file overwrite for arbitrary code execution (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely patching and flaw remediation for the specific path traversal vulnerability in IBM WebSphere Liberty as advised by IBM.
Mandates validation of zip archive inputs to detect and block path traversal sequences, preventing arbitrary file overwrites.
Enforces least privilege to restrict high-privileged users from accessing upload functions that could be exploited for path traversal.