CVE-2025-14290

Vulnerability

IBM webMethods Integration (on prem) – Integration Server versions 10.15 through IS_10.15_Core_Fix26 and 11.1 through IS_11.1_Core_Fix10 contain a server-side request forgery (SSRF) vulnerability [1]. The flaw resides in the Administration > Publishing > Add subscriber Admin UI page, which does not properly validate user-supplied URLs, allowing an attacker to make the server issue HTTP requests to arbitrary destinations [1].

Exploitation

An attacker must be authenticated to the Administration interface and navigate to the affected page [1]. By providing a crafted URL in the subscriber configuration, they can trigger the server to initiate outbound HTTP connections to internal or external systems under the identity of the Integration Server [1]. No special network position beyond access to the admin web console is required.

Impact

Successful exploitation allows the attacker to send unauthorized HTTP requests from the Integration Server. This can be used to probe internal network services (network enumeration) or as a stepping stone for further attacks [1]. The CVSS score of 5.4 (medium) indicates limited impact to confidentiality and integrity, but no direct impact on availability [1].

Mitigation

IBM released core fixes to address this vulnerability: IS_10.15_Core_Fix27 (or later) for the 10.15 stream, and IS_11.1_Core_Fix11 (or later) for the 11.1 stream [1]. These fixes can be applied via IBM webMethods Update Manager [1]. No workarounds are provided, so applying the appropriate core fix is the only remediation [1].