CVE-2025-14974
Published: 25 March 2026
Summary
CVE-2025-14974 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Ibm Infosphere Information Server. Its CVSS base score is 5.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 25.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2025-14974 is an Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-639, affecting IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6. Published on 2026-03-25, it carries a CVSS v3.1 base score of 5.7 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), indicating a moderate severity issue primarily impacting confidentiality.
An adjacent network attacker with low privileges can exploit this vulnerability with low complexity and no user interaction. Exploitation enables high-impact unauthorized access to sensitive data through direct object manipulation, but does not allow integrity modifications or denial of service.
IBM's security advisory at https://www.ibm.com/support/pages/node/7266723 provides details on the vulnerability and recommended mitigation steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-209022
Vulnerability details
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable due to Insecure Direct Object Reference (IDOR).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR enables direct unauthorized read access to sensitive data objects on the server.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 requires enforcement of approved authorizations for access to information and resources, directly preventing IDOR exploitation by ensuring manipulated object references are validated against user permissions.
AC-25 implements a reference monitor for complete mediation of all object references, comprehensively mitigating IDOR by blocking unauthorized direct access attempts.
AC-6 applies least privilege to limit the scope of accessible objects, reducing the impact of unauthorized data exposure through IDOR even if enforcement partially fails.