PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-14290 IBM CVE debrief

IBM webMethods Integration (on-premises) contains a server-side request forgery (SSRF) vulnerability affecting Integration Server versions 10.15 through IS_10.15_Core_Fix2611.1 and IS_11.1 through IS_11.1_Core_Fix10. An authenticated attacker can exploit this flaw to send unauthorized requests from the system, potentially enabling network enumeration or facilitating additional attacks. The vulnerability is classified as CWE-918 (Server-Side Request Forgery). IBM has published a security bulletin with remediation guidance.

Vendor
IBM
Product
webMethods Integration (on prem) -Integration Server
CVSS
MEDIUM 5.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-26
Original CVE updated
2026-05-26
Advisory published
2026-05-26
Advisory updated
2026-05-26

Who should care

Organizations running IBM webMethods Integration Server 10.15.x or 11.1.x on-premises deployments; security teams responsible for integration middleware; compliance officers tracking IBM product security advisories

Technical summary

The vulnerability exists in IBM webMethods Integration Server's handling of outbound requests, allowing authenticated users to manipulate the server into making requests to arbitrary destinations. This SSRF weakness (CWE-918) can be leveraged for internal network reconnaissance, access to cloud metadata services, or as a stepping stone to further compromise. The attack requires low-privilege authenticated access, with network-based attack vector and low attack complexity. Confidentiality and integrity impacts are rated low; availability is not affected.

Defensive priority

medium

Recommended defensive actions

  • Apply IBM-provided core fixes: IS_10.15_Core_Fix2611.1 or later for 10.15.x, or IS_11.1_Core_Fix10 or later for 11.1.x
  • Review and restrict outbound network connectivity from Integration Server instances to reduce SSRF blast radius
  • Audit authentication and authorization controls for Integration Server administrative interfaces
  • Monitor for anomalous outbound network requests originating from webMethods Integration Server systems
  • Consult IBM security bulletin for detailed patch deployment instructions and additional hardening recommendations

Evidence notes

CVE published 2026-05-26T17:16:28.417Z; modified 2026-05-26T19:06:14.330Z. IBM PSIRT reference confirms vendor acknowledgment. CVSS 3.1 vector: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N.

Official resources

2026-05-26