{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14917", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2025-12-18T19:59:28.180Z", "datePublished": "2026-03-25T20:13:55.049Z", "dateUpdated": "2026-03-25T20:19:13.832Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-03-25T20:19:13.832Z"}, "title": "IBM WebSphere Application Server Liberty could provide weaker than expected security", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-1393", "description": "CWE-1393 Use of Default Password", "type": "CWE"}]}], "affected": [{"vendor": "IBM", "product": "WebSphere Application Server - Liberty", "versions": [{"status": "affected", "version": "17.0.0.3", "lessThanOrEqual": "26.0.0.3", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:websphere_application_server___liberty:17.0.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server___liberty:26.0.0.3:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty could provide weaker than expected security when administering security settings.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty could provide weaker than expected security when administering security settings.</p>"}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7267362", "tags": ["vendor-advisory", "patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 6.7, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}], "solutions": [{"lang": "en", "value": "IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR\u00a0PH70078.\u00a0To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to\u00a0 How to determine if Liberty is using a specific feature https://www.ibm.com/support/pages/node/6553910 .\u00a0\n\nAttention: After installing the interim fix or fixpack, please follow the additional instructions provided in the interim fix link referenced below to complete the remediation.\n\nFor IBM WebSphere Application Server Liberty 17.0.0.3 - 26.0.0.3 using the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0, appSecurity-4.0 or appSecurity-5.0 feature(s):\u00a0\n\u00b7 Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves\u00a0 PH70078 https://www.ibm.com/support/pages/node/7266845 \u00a0and carefully follow the instructions for steps required after fix installation.\n--OR--\n\u00b7 Apply Liberty Fix Pack 26.0.0.4 or later (targeted availability 2Q2026).\n\nAdditional interim fixes may be available and linked off the interim fix download page.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR&nbsp;PH70078.&nbsp;To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to&nbsp;<a title=\"How to determine if Liberty is using a specific feature\" href=\"https://www.ibm.com/support/pages/node/6553910\" rel=\"nofollow\">How to determine if Liberty is using a specific feature</a>.&nbsp;</p><p><strong>Attention: After installing the interim fix or fixpack, please follow the additional instructions provided in the interim fix link referenced below to complete the remediation.</strong><br><br><strong>For IBM WebSphere Application Server Liberty 17.0.0.3 - 26.0.0.3 using the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0, appSecurity-4.0 or appSecurity-5.0 feature(s):&nbsp;</strong><br>\u00b7 Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves&nbsp;<a href=\"https://www.ibm.com/support/pages/node/7266845\" rel=\"nofollow\">PH70078</a>&nbsp;<strong>and carefully follow the instructions for steps required after fix installation.</strong><br>--OR--<br>\u00b7 Apply Liberty Fix Pack 26.0.0.4 or later (targeted availability 2Q2026).<br><br>Additional interim fixes may be available and linked off the interim fix download page.</p>"}]}], "x_generator": {"engine": "ibm-cvegen"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty could provide weaker than expected security when administering security settings."}], "id": "CVE-2025-14917", "lastModified": "2026-03-25T21:16:24.550", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "psirt@us.ibm.com", "type": "Primary"}]}, "published": "2026-03-25T21:16:24.550", "references": [{"source": "psirt@us.ibm.com", "url": "https://www.ibm.com/support/pages/node/7267362"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1393"}], "source": "psirt@us.ibm.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T21:26:19.815281+00:00", "value": {"mitigation_remediation": ["Apply the interim fix PH70078 from IBM immediately.", "Upgrade to Liberty Fix Pack 26.0.0.4 or later if it contains the fix for PH70078.", "Follow the post\u2011fix instructions provided in the interim fix documentation to complete remediation.", "Verify which appSecurity feature is enabled in your Liberty installation.", "Check for additional interim fixes linked from the download page and apply them as they become available."], "summary": {"action": "Immediate Patch", "impact": "Weaker security in configuration management, potentially allowing unauthorized modification of security settings."}, "threat_synthesis": {"affected_systems": "Affected systems are IBM WebSphere Application Server Liberty builds from 17.0.0.3 up to 26.0.0.3. The issue appears when the appSecurity\u20111.0 through appSecurity\u20115.0 features are enabled. The vulnerability affects the security configuration modules of the application server and is relevant to any installation within this version range.", "description_and_impact": "The vulnerability in IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.3 allows administrators to encounter weaker-than-expected security when managing security settings. This weakness (CWE\u20111393) could enable an attacker with access to the administrative configuration interface to bypass intended restrictions, modify authentication or authorization rules, or otherwise compromise the integrity and confidentiality of the application server.", "risk_and_exploitability": "The CVSS score of 6.7 reflects moderate severity; EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Likely exploitation requires an attacker who can reach the Liberty administrative console or who has local access to the server, as the weakness manifests when configuration settings are applied. Because the official mitigation is an interim fix or higher fix pack, the risk can be significantly reduced by promptly applying the recommended updates."}}}}, "created": "2026-03-25T21:46:14.297939+00:00", "updated": "2026-03-25T21:46:14.297972+00:00", "vendors": []}