CVE-2025-14923
Published: 03 March 2026
Summary
CVE-2025-14923 is a medium-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Ibm Websphere Application Server. Its CVSS base score is 4.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 6.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-12 (Cryptographic Key Establishment and Management).
Deeper analysis
CVE-2025-14923 is a security vulnerability in IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.2. It results in weaker than expected security when using the Security Utility to administer security settings. The issue maps to CWE-321 (Use of Hard-coded Cryptographic Key) and CWE-798 (Use of Hard-coded Credentials), with a CVSS v3.1 base score of 4.7 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N).
An attacker requires local access to the system, low privileges, and must overcome high attack complexity, with no user interaction required. Successful exploitation enables high-impact unauthorized disclosure of confidential information, such as sensitive security configuration data, but does not affect integrity or availability.
IBM provides details on mitigation and patches in its security advisory at https://www.ibm.com/support/pages/node/7261761.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208253
Vulnerability details
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.2 IBM WebSphere Application Server Liberty could provide weaker than expected security when using the Security Utility when administering security settings.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hard-coded keys/credentials in Security Utility directly enable local extraction of sensitive security config data (T1552.001); vulnerability permits unauthorized local data access (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires proper cryptographic key establishment and management, eliminating the hard-coded keys (CWE-321) that weaken the Security Utility.
Mandates secure authenticator management practices that prohibit hard-coded credentials (CWE-798) in security administration tools.
Requires cryptographic protection of sensitive security configuration data at rest, limiting disclosure impact from the weaker Security Utility.