{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14915", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2025-12-18T19:51:26.277Z", "datePublished": "2026-03-25T20:12:27.207Z", "dateUpdated": "2026-03-25T20:17:59.777Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-03-25T20:17:59.777Z"}, "title": "IBM WebSphere Application Server Liberty is affected by a privilege escalation vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "affected": [{"vendor": "IBM", "product": "WebSphere Application Server - Liberty", "versions": [{"status": "affected", "version": "17.0.0.3", "lessThanOrEqual": "26.0.0.3", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:websphere_application_server___liberty:17.0.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server___liberty:26.0.0.3:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty is affected by privilege escalation. A privileged user could gain additional access to the application server.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty is affected by privilege escalation. A privileged user could gain additional access to the application server.</p>"}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7267345", "tags": ["vendor-advisory", "patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"}}], "solutions": [{"lang": "en", "value": "IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR\u00a0PH70327. To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to\u00a0 How to determine if Liberty is using a specific feature https://www.ibm.com/support/pages/node/6553910 .\u00a0\n\nFor IBM WebSphere Application Server Liberty 17.0.0.3 - 26.0.0.3 using the restConnector-1.0 or restConnector-2.0 feature(s):\u00a0\n\u00b7 Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves\u00a0 PH70327 https://www.ibm.com/support/pages/node/7266844 \u00a0\n--OR--\n\u00b7 Apply Liberty Fix Pack 26.0.0.4 or later (targeted availability 2Q2026).\u00a0\n\nAdditional interim fixes may be available and linked off the interim fix download page.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR&nbsp;PH70327. To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to&nbsp;<a title=\"How to determine if Liberty is using a specific feature\" href=\"https://www.ibm.com/support/pages/node/6553910\" rel=\"nofollow\">How to determine if Liberty is using a specific feature</a>.&nbsp;<br><br><strong>For IBM WebSphere Application Server Liberty 17.0.0.3 - 26.0.0.3 using the restConnector-1.0 or restConnector-2.0 feature(s):&nbsp;</strong><br>\u00b7 Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves&nbsp;<a href=\"https://www.ibm.com/support/pages/node/7266844\" rel=\"nofollow\">PH70327</a>&nbsp;<br>--OR--<br>\u00b7 Apply Liberty Fix Pack 26.0.0.4 or later (targeted availability 2Q2026).&nbsp;<br><br>Additional interim fixes may be available and linked off the interim fix download page.</p>"}]}], "x_generator": {"engine": "ibm-cvegen"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty is affected by privilege escalation. A privileged user could gain additional access to the application server."}], "id": "CVE-2025-14915", "lastModified": "2026-03-25T21:16:24.363", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "psirt@us.ibm.com", "type": "Primary"}]}, "published": "2026-03-25T21:16:24.363", "references": [{"source": "psirt@us.ibm.com", "url": "https://www.ibm.com/support/pages/node/7267345"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "psirt@us.ibm.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T21:27:01.223770+00:00", "value": {"mitigation_remediation": ["Apply the interim fix PH70327 or upgrade to the minimal fix pack level required by the interim fix.", "Alternatively, install Liberty Fix Pack 26.0.0.4 or a later version when it becomes available.", "Verify that restConnector features are correctly configured and follow IBM\u2019s guidance on feature enablement.", "Check the interim fix download page for any additional interim fixes applicable to your deployment."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.3 that have the restConnector-1.0 or restConnector-2.0 features enabled are susceptible. The issue specifically impacts installations of these feature sets in the mentioned version range.", "description_and_impact": "The vulnerability enables a privileged user to elevate privileges within the IBM WebSphere Application Server Liberty environment, effectively allowing unauthorized escalation of access rights. This can lead to misuse of application server resources, potential data exposure, and further exploitation opportunities. The weakness is identified as an information exposure flaw, where privileged operations are improperly restricted.", "risk_and_exploitability": "The flaw has a CVSS score of 6.5 indicating a moderate risk level. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. It is inferred that the attack vector requires presence of a privileged user and access to the application server; therefore, it is likely a local privilege escalation scenario that could be leveraged if an attacker can obtain initial privileged access or exploit misconfigured feature settings."}}}}, "created": "2026-03-25T21:46:15.204292+00:00", "updated": "2026-03-25T21:46:15.204342+00:00", "vendors": []}