CVE-2025-14290 - Vulnerability Details

- IBM webMethods Integration Sever is vulnerable to server-side request forgery

Description

IBM webMethods Integration (on prem) -Integration Server 10.15 through IS_10.15_Core_Fix2611.1 to IS_11.1_Core_Fix10 IBM webMethods Integration is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.

Published: 2026-05-26

Score: 5.4 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

IBM webMethods Integration Server is vulnerable to server‑side request forgery (SSRF). An authenticated attacker can trigger the server to send unauthorized HTTP requests to internal or external hosts. This can enable network enumeration, reveal internal infrastructure, or serve as a foothold for further attacks.

Affected Systems

The affected products are IBM WebMethods Integration Server (on‑premises) versions 10.15 and 11.1. The vulnerability exists in all releases up to IS_10.15_Core_Fix2611.1 for 10.15 and up to IS_11.1_Core_Fix10 for 11.1. Any deployment of these versions that has not applied the recommended core fixes is susceptible.

Risk and Exploitability

The CVSS score of 5.4 suggests moderate severity, and EPSS is currently unavailable. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access, meaning the threat surface is limited to users with valid credentials. An attacker could abuse the SSRF to probe internal network services or to initiate connections to untrusted external resources. The recommended remedial path is to apply the latest core fixes promptly.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

IBM

webMethods Integration (on prem) -Integration Server

affected

Version	Status	Constraints
`10.15`	affected	≤ IS_10.15_Core_Fix2611.1 to IS_11.1_Core_Fix10

No data.

Vendor Product Confidence Versions

Ibm

Webmethods Integration On Prem Integration Server

95%

Version	Status	Scheme	Platform
`[10.15,IS_10.15_Core_Fix2611.1 to IS_11.1_Core_Fix10]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by applying the mentioned core fixes or later core fixes for the affected versions and following the respective fix readme document. IS_10.15_Core_Fix27 or later IS_11.1_Core_Fix11 or later Fixes can be downloaded and installed via IBM webMethods Update Manager. Refer to How to Download webMethods Software https://www.ibm.com/support/pages/node/7232491

OpenCVE Recommended Actions

Apply IBM webMethods Update Manager to install IS_10.15_Core_Fix27 or later and IS_11.1_Core_Fix11 or later, following the vendor’s fix readme.
If a patch cannot be applied immediately, restrict the Integration Server’s outbound traffic to only approved hosts or IP ranges using firewall or network segmentation.
Continuously audit incoming request logs for unexpected external target addresses and investigate any anomalies.

Generated by OpenCVE AI on May 26, 2026 at 18:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.ibm.com/support/pages/node/7273550

History

Tue, 26 May 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ibm webmethods Integration On Prem Integration Server
Vendors & Products		Ibm webmethods Integration On Prem Integration Server

Tue, 26 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		IBM webMethods Integration (on prem) -Integration Server 10.15 through IS_10.15_Core_Fix2611.1 to IS_11.1_Core_Fix10 IBM webMethods Integration is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
Title		IBM webMethods Integration Sever is vulnerable to server-side request forgery
First Time appeared		Ibm Ibm webmethods Integration On Prem Integration Server
Weaknesses		CWE-918
CPEs		cpe:2.3:a:ibm:webmethods_integration_on_prem__integration_server:10.15.0:::::::* cpe:2.3:a:ibm:webmethods_integration_on_prem__integration_server:10.15:::::::* cpe:2.3:a:ibm:webmethods_integration_on_prem__integration_server:is_10.15_core_fix2611.1:::::::*
Vendors & Products		Ibm Ibm webmethods Integration On Prem Integration Server
References		https://www.ibm.com/support/pages/node/7273550
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

Ibm Webmethods Integration On Prem Integration Server Webmethods Integration On Prem Integration Server

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2026-05-26T15:49:23.780Z

Updated: 2026-05-26T18:40:31.423Z

Reserved: 2025-12-08T19:17:35.305Z

Link: CVE-2025-14290

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-26T17:16:28.417

Modified: 2026-05-26T19:06:14.330

Link: CVE-2025-14290

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-26T18:30:12Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object