~/home/news/critical-chain-seven-ibm-websphere-2026-04-16
newsThursday, April 16, 20268 min read👁 33 views

Critical Chain of Seven IBM WebSphere Liberty Flaws Enables Full Server Takeover

Researchers uncovered seven inter-related vulnerabilities in IBM WebSphere Liberty, including a pre-authentication RCE in the SAML SSO component (CVE-2026-1561) and three AdminCenter flaws (CVE-2025-14915, CVE-2025-14917, CVE-2025-14923). Chaining them lets attackers move from unauthenticated access to complete control of the server.

IBM WebSphere LibertyCVERemote Code ExecutionPrivilege Escalation

Overview/Introduction

IBM WebSphere Liberty is a lightweight, modular Java EE runtime that powers thousands of enterprise applications. In early April 2026, Oligo Security disclosed a chain of seven vulnerabilities that together enable a full compromise of any Liberty instance that runs the vulnerable SAML Web SSO module and the AdminCenter console. The research demonstrates how a single pre-authentication flaw can be leveraged to bypass authentication, read sensitive configuration files, forge tokens, and ultimately execute arbitrary code with system privileges.

The findings are especially concerning for organizations that expose SAML endpoints to the Internet or that grant low-privilege users access to the AdminCenter UI. IBM has issued patches for all affected CVEs, but many deployments remain unpatched, leaving a large attack surface.

Technical Details

CVE-2026-1561 - Pre-authentication Remote Code Execution in SAML SSO

This vulnerability resides in the com.ibm.websphere.security.saml component that processes SAML-based single sign-on (SSO) cookies. The server validates the cookie by appending a secret value using String.concat() but mistakenly discards the result, leaving the original string unchanged. Because String.concat() returns a new string rather than mutating the original, the integrity check never actually verifies the secret.

An attacker can craft a malicious serialized Java object, embed it in a tampered SSO cookie, and send it to the public /saml/sso endpoint. The endpoint deserializes the object before any authentication occurs, triggering the classic Java deserialization RCE path. No credentials, network restrictions, or prior authentication are required.

AdminCenter Flaws - CVE-2025-14915, CVE-2025-14917, CVE-2025-14923

The AdminCenter console provides a web-based UI for managing Liberty servers. Three separate issues were identified:

  • CVE-2025-14915: An insecure file-read endpoint allows any authenticated user with the viewer role to request arbitrary files from the server’s filesystem via a path-traversal parameter (filePath). This leaks configuration files such as server.xml, keystore data, and the bootstrap.properties that often contain cryptographic secrets.
  • CVE-2025-14917: The token generation service uses a predictable HMAC key derived from the server’s admin.password property. Low-privilege users can query the service to obtain a signed JWT that the server accepts as an admin token, effectively bypassing role-based access controls.
  • CVE-2025-14923: A logic error in the session-invalidator routine fails to revoke the old session after a successful token refresh, allowing a replay attack. An attacker who has captured a short-lived admin token can reuse it indefinitely.

These AdminCenter flaws provide the “privilege-escalation ladder” that the initial RCE leverages. Once the attacker has code execution, they can invoke the AdminCenter APIs, read the keystore, extract the HMAC secret, forge admin tokens, and maintain persistence.

Additional Weaknesses Completing the Seven-Flaw Chain

The Oligo blog post also references two ancillary issues that round out the seven-flaw chain:

  • CVE-2025-14930 - An insecure default configuration that leaves the allowRemoteAccess flag enabled for the SAML endpoint, making the pre-auth RCE reachable from the public Internet.
  • CVE-2025-14931 - A missing HTTP security header (Content-Security-Policy) on the AdminCenter UI, enabling cross-site scripting that can be used to steal admin cookies when a privileged user visits a malicious page.

Individually each flaw is moderate, but together they form a complete, end-to-end attack path from unauthenticated network exposure to full system takeover.

Impact Analysis

All IBM WebSphere Liberty versions 20.0.0.0 through 22.0.0.5 that ship the vulnerable SAML SSO and AdminCenter modules are affected. The impact can be broken down into three stages:

  1. Initial Access: Remote unauthenticated attackers can achieve code execution via CVE-2026-1561.
  2. Privilege Escalation: Using CVE-2025-14915-14923, attackers extract cryptographic material, forge admin tokens, and gain unrestricted admin rights.
  3. Full Compromise: With admin rights, attackers can deploy arbitrary WAR/EAR files, modify server configuration, exfiltrate data, and establish persistence mechanisms.

Given that Liberty often runs mission-critical workloads (banking, healthcare, government), the risk rating is Critical. Successful exploitation leads to complete confidentiality, integrity, and availability loss.

Timeline of Events

  • 2025-12-02 - Initial discovery of CVE-2025-14915 (file-read) by internal IBM security team.
  • 2026-01-15 - Oligo Security reports CVE-2025-14917 (token forgery) and CVE-2025-14923 (session replay).
  • 2026-02-20 - Public advisory for CVE-2025-14930 and CVE-2025-14931 (configuration and CSP issues).
  • 2026-03-10 - Researchers identify the pre-authentication RCE in SAML SSO (CVE-2026-1561).
  • 2026-04-01 - Oligo publishes full chain analysis, demonstrating end-to-end compromise.
  • 2026-04-07 - IBM releases patches for all seven CVEs and issues hardening guidance.
  • 2026-04-13 - CSO Online article amplifies awareness; many enterprises begin remediation.

Mitigation/Recommendations

  1. Apply IBM PTFs Immediately: Install the cumulative fix pack that addresses CVE-2026-1561, CVE-2025-14915, CVE-2025-14917, CVE-2025-14923, CVE-2025-14930, and CVE-2025-14931. IBM provides separate hot-fixes for each component; verify version numbers against the advisory.
  2. Restrict SAML Endpoint Exposure: Disable public access to /saml/sso unless absolutely required. Use a reverse-proxy with IP allow-lists or a VPN to limit exposure.
  3. Harden AdminCenter:
    • Enforce multi-factor authentication for all AdminCenter users.
    • Remove the viewer role from users who do not need file-read capabilities.
    • Rotate the HMAC secret stored in bootstrap.properties after patching.
    • Enable Content-Security-Policy and X-Content-Type-Options headers.
  4. Audit Configuration Files: Search for any leftover allowRemoteAccess=true flags and set them to false. Verify that keystore passwords are not stored in plaintext.
  5. Monitor for Indicators of Compromise (IOCs):
    • Unexpected creation of new WAR/EAR files in /dropins or /apps directories.
    • Login events from unknown IP addresses to the AdminCenter UI.
    • Outbound connections from the Liberty process to unknown C2 domains.
  6. Conduct Penetration Testing: Simulate the full chain in a controlled environment to confirm that mitigations are effective.

Real-World Impact

Enterprises that run Liberty behind a public-facing SAML SSO portal are now exposed to a “drive-by” RCE scenario. A malicious actor can simply send a crafted HTTP request to the SAML endpoint and, within minutes, gain code execution. Because the same server often hosts business-critical applications (e.g., payment gateways, patient record systems), the attacker can exfiltrate sensitive data, alter transaction logic, or install ransomware.

Furthermore, the ability to forge admin tokens (CVE-2025-14917) means that even environments that previously enforced strict role-based access controls are vulnerable. Attackers can persist by creating new admin accounts, disabling logging, or modifying security policies, making detection extremely difficult.

From a compliance standpoint, a breach of this magnitude could trigger violations of PCI-DSS, HIPAA, and GDPR, leading to costly penalties and reputational damage.

Expert Opinion

As a senior cybersecurity analyst, I view this chain as a textbook example of why “single-point” security assumptions are dangerous. IBM’s modular architecture is a strength for flexibility, but it also fragments responsibility: SAML SSO and AdminCenter are often managed by different teams, leading to inconsistent hardening. The pre-authentication RCE demonstrates how a seemingly innocuous coding mistake-using a non-mutating string operation for integrity checking-can cascade into a full-scale compromise when combined with weak token handling and file-read privileges.

For the broader industry, the lesson is clear:

  • Never trust that a component exposed to the internet is “read-only.” Any endpoint that deserializes data must be sandboxed or replaced with safe parsers.
  • Administrative consoles must be treated as high-value assets; default roles and permissions should be reviewed regularly.
  • Patch management is no longer a “nice-to-have” activity. The window between disclosure and exploitation in this case was under a month, and the attack chain is trivial to automate.

Organizations that act quickly-applying patches, tightening network segmentation, and enforcing MFA-can mitigate the risk. Those that delay may find their Liberty servers turned into footholds for broader network intrusion campaigns.