Severity by source
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty could provide weaker than expected security when administering security settings.
AnalysisAI
IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.3 contain a vulnerability in security settings administration that could allow authenticated attackers with high privileges to bypass expected security controls and gain unauthorized access to sensitive information. The vulnerability affects a critical administrative interface and, while it requires local access and high privileges to exploit, could enable lateral privilege escalation or information disclosure within enterprise environments. No evidence of active exploitation or public proof-of-concept has been reported, but a vendor patch is available.
Technical ContextAI
This vulnerability relates to CWE-1393 (Weak Security Settings Administration), which describes improper enforcement of security policies during configuration and administration of security parameters. IBM WebSphere Application Server Liberty (confirmed via CPE cpe:2.3:a:ibm:websphere_application_server_-_liberty) is a lightweight application server framework used to deploy Java-based enterprise applications. The affected versions (17.0.0.3 through 26.0.0.3) span a significant release history, suggesting the vulnerability is rooted in how the administrative console or configuration framework validates and applies security-related settings. The weakness likely exists in the security realm configuration, user role mapping, or permission enforcement logic that governs who can access what resources within the application server.
RemediationAI
Apply the security patch provided by IBM at https://www.ibm.com/support/pages/node/7267362, which addresses the vulnerability in all affected versions. Upgrade to a patched release within the 17.x, 18.x through 26.x lines (exact patch versions are available in the IBM advisory). Until patching is completed, enforce the principle of least privilege by restricting administrative console access to a minimal set of trusted administrators, disable non-essential administrative features if available, and ensure all administrative access is logged and monitored. Consider implementing network-level access controls to limit who can reach the WebSphere Liberty administrative interfaces (port 9080 or 9443 by default). Test patches in a staging environment before production deployment to ensure compatibility with existing security configurations.
Same weakness CWE-1393 – Use of Default Password
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209021
GHSA-436f-fmh9-32gq