Cyber Posture

CVE-2025-14915

Medium

Published: 25 March 2026

Published
25 March 2026
Modified
30 March 2026
KEV Added
Patch
CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0001 2.1th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14915 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Ibm Websphere Application Server. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the specific privilege escalation flaw in IBM WebSphere Liberty through timely identification, reporting, and patching as advised by IBM.

AC-6 Least Privilege partial match
prevent

Enforces least privilege for users, limiting the initial privileges available for escalation and reducing the impact of the vulnerability requiring high privileges (PR:H).

AC-3 Access Enforcement partial match
prevent

Strengthens enforcement of access control policies in the application server to mitigate unauthorized privilege escalation beyond approved authorizations.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Explicit privilege escalation vulnerability allowing an authenticated high-privileged user to obtain additional access and sensitive information on the server.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty is affected by privilege escalation. A privileged user could gain additional access to the application server.

Deeper analysisAI

CVE-2025-14915 is a privilege escalation vulnerability affecting IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.3. The issue allows a privileged user to gain additional access to the application server, as classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) with NVD-CWE-noinfo. It has a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N), indicating medium severity with high impacts to confidentiality and integrity over the network.

Exploitation requires high privileges (PR:H), meaning an attacker must already possess a privileged account on the affected system. With low attack complexity and no user interaction needed, such a user can remotely escalate their access, potentially exposing sensitive information and modifying application server resources without impacting availability.

IBM has published details and mitigation guidance in its security advisory at https://www.ibm.com/support/pages/node/7267345. Security practitioners should consult this reference for patch availability and recommended remediation steps for the vulnerable Liberty versions.

Details

CWE(s)
CWE-200NVD-CWE-noinfo

Affected Products

ibm
websphere application server
17.0.0.3 — 26.0.0.4

CVEs Like This One

CVE-2025-14917Same product: Apple Macos
CVE-2024-51459Same product: Ibm Aix
CVE-2025-23303Same product: Apple Macos
CVE-2026-4456Same product: Apple Macos
CVE-2026-7343Same product: Apple Macos
CVE-2026-0905Same product: Apple Macos
CVE-2026-6310Same product: Apple Macos
CVE-2026-21515Same vendor: Microsoft
CVE-2026-30793Same product: Apple Macos
CVE-2026-6304Same product: Apple Macos

References