Platform
ibm
Component
websphere-application-server-liberty
Fixed in
26.0.1
CVE-2025-14914 describes a Path Traversal vulnerability affecting IBM WebSphere Application Server Liberty. A privileged user can exploit this flaw by uploading a specially crafted zip archive containing path traversal sequences, allowing them to overwrite files and potentially achieve arbitrary code execution. This vulnerability impacts versions 17.0.0.3 through 26.0.0.1, and a fix is available from IBM.
The primary impact of CVE-2025-14914 is the potential for arbitrary code execution on the affected WebSphere Application Server Liberty instance. An attacker, possessing privileged access, can upload a zip file containing path traversal sequences (e.g., ../../../../) to overwrite critical system files. This overwrite could lead to the execution of malicious code, granting the attacker complete control over the server. The blast radius extends to any data processed by the Liberty server, including sensitive user data, application configurations, and potentially database credentials. This vulnerability shares similarities with other path traversal exploits where attackers leverage file system navigation to bypass security controls.
CVE-2025-14914 was publicly disclosed on 2026-02-02. Its inclusion in the CISA KEV catalog (KEV status unknown at this time) would indicate a higher probability of exploitation. Public proof-of-concept (POC) code is currently unavailable, but the nature of path traversal vulnerabilities often makes them relatively easy to exploit once a suitable attack vector is identified. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting WebSphere Application Server Liberty.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2025-14914 is to upgrade to a patched version of WebSphere Application Server Liberty as soon as possible. IBM has released a fix, and the specific version number should be consulted in the official security advisory. If immediate patching is not feasible, consider implementing a Web Application Firewall (WAF) with rules to block the upload of zip files containing suspicious path traversal sequences. Additionally, restrict file upload privileges to only authorized users and implement strict input validation to prevent malicious file names. After upgrade, verify the fix by attempting to upload a test zip file with a path traversal sequence and confirming that the upload is blocked.
Actualice IBM WebSphere Application Server Liberty a una versión posterior a 26.0.0.1 que haya solucionado la vulnerabilidad de path traversal. Consulte el advisory de IBM para obtener más detalles sobre las versiones corregidas y las instrucciones de actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14914 is a Path Traversal vulnerability in WebSphere Application Server Liberty versions 17.0.0.3–26.0.0.1, allowing attackers to overwrite files and potentially achieve arbitrary code execution.
If you are running WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.1, you are potentially affected by this vulnerability. Check your version and upgrade accordingly.
Upgrade to a patched version of WebSphere Application Server Liberty as recommended by IBM. Implement WAF rules as a temporary mitigation if patching is delayed.
While no active exploitation has been publicly confirmed, the nature of path traversal vulnerabilities suggests a potential for exploitation. Monitor security advisories and threat intelligence feeds.
Refer to the official IBM Security Bulletin for CVE-2025-14914 for detailed information and the latest updates: [https://www.ibm.com/support/kbdoc/](https://www.ibm.com/support/kbdoc/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.