CVE-2025-14974

Medium

Published: 25 March 2026

Published

25 March 2026

Modified

26 March 2026

KEV Added

—

Patch

—

CVSS Score 5.7 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0009 25.1th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14974 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Ibm Infosphere Information Server. Its CVSS base score is 5.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 25.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 requires enforcement of approved authorizations for access to information and resources, directly preventing IDOR exploitation by ensuring manipulated object references are validated against user permissions.

AC-25 Reference Monitor good match

prevent

AC-25 implements a reference monitor for complete mediation of all object references, comprehensively mitigating IDOR by blocking unauthorized direct access attempts.

AC-6 Least Privilege partial match

prevent

AC-6 applies least privilege to limit the scope of accessible objects, reducing the impact of unauthorized data exposure through IDOR even if enforcement partially fails.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

IDOR enables direct unauthorized read access to sensitive data objects on the server.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable due to Insecure Direct Object Reference (IDOR).

Deeper analysisAI

CVE-2025-14974 is an Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-639, affecting IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6. Published on 2026-03-25, it carries a CVSS v3.1 base score of 5.7 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), indicating a moderate severity issue primarily impacting confidentiality.

An adjacent network attacker with low privileges can exploit this vulnerability with low complexity and no user interaction. Exploitation enables high-impact unauthorized access to sensitive data through direct object manipulation, but does not allow integrity modifications or denial of service.

IBM's security advisory at https://www.ibm.com/support/pages/node/7266723 provides details on the vulnerability and recommended mitigation steps.

Details

CWE(s): CWE-639

Affected Products

ibm

infosphere information server

11.7.0.0 — 11.7.1.6

CVEs Like This One

CVE-2024-52363Same product: Ibm Aix

CVE-2025-36258Same product: Ibm Aix

CVE-2024-7577Same product: Ibm Aix

CVE-2024-51459Same product: Ibm Aix

CVE-2024-49781Same product: Linux Linux Kernel

CVE-2024-54171Same product: Linux Linux Kernel

CVE-2025-13855Same product: Ibm Aix

CVE-2025-69274Same product: Linux Linux Kernel

CVE-2024-38337Same product: Ibm Aix

CVE-2024-41783Same product: Ibm Aix

References

https://www.ibm.com/support/pages/node/7266723
Vendor Advisory · psirt@us.ibm.com