AdminCenter flaws allow further escalation: Beyond initial access, the research outlined critical issues within WebSphere Liberty’s administrative controls. The AdminCenter component, designed to enforce role-based access, contains multiple flaws that allow low-privileged users to access sensitive files and secrets.One issue, tracked under CVE-2025-14915, enables “reader”-level users to retrieve critical server files such as authentication keys, which can then be used to forge tokens and impersonate higher privileged users. Another problem (CVE-2025-14917) lies in hardcoded passwords protecting token-signing LTPA keys, alongside encryption utilities that ship with static keys (CVE-2025-14923) across all modes.The rest of the chain includes an archive extraction flaw (CVE-2025-14914) that can be abused to write files outside intended directories, alongside insecure handling (CVE unassigned) of configuration data where sensitive entries, like credentials “in server.xml,” can be retrieved or reused once access is gained.The researchers detailed the full chain, noting that a low-privileged “reader” user can extract or recover admin credentials from exposed configuration data, or alternatively forge an admin token using decrypted LTPA keys, gaining full administrative access. From there, the archive extraction flaw allows arbitrary file writes via Zip Slip-style attack, ultimately leading to remote code execution.IBM did not immediately respond to CSO’s request for comments on the disclosed attack chain.Other than applying necessary patches, Oligo urged organizations to rotate any secrets ever generated using “SecurityUtility,” as default XOR and AES modes make them effectively reversible, and to move to custom encryption keys going forward. It also recommended using auditing and limiting reader-role assignments, since those users can potentially escalate to full administrative access.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4157807/seven-ibm-websphere-liberty-flaws-can-be-chained-into-full-takeover.html
