Seven IBM WebSphere Liberty flaws can be chained into full takeover

Security researchers are warning of a set of flaws affecting IBM WebSphere Liberty, a lightweight, modular Java application server, that can be chained into a full server compromise. The flaws, a total of seven, that led to the ultimate compromise of the server were initiated by a newly discovered pre-authentication issue in the platform’s SAML Web SSO component that enables low-privilege access. From there, the chain manipulates authentication, access control, and cryptographic protection to achieve full control. “The 7 flaws we reported to IBM create multiple pathways for attackers to move from network-level exposure or limited access to full server compromise,” Oligo Security researchers said in a blog post . The chain is basically a privilege-escalation path to a critical compromise, protections against which are now available as patches and configuration guidelines. Pre-auth RCE sets the tone The root flaw, also the most recently disclosed, is tracked as CVE-2026-1561 , targeting the SAML Web SSO functionality and requires no authentication to exploit. In affected deployments, attackers can reach exposed SAML endpoints and supply crafted serialized payloads, ultimately achieving remote code execution (RCE). Specifically, the application attempts to validate a serialized cookie by appending a secret value, but fails to store the result of the “String.concat()” operation. In Java, this method is non-mutating, meaning the original string remains unchanged, making the integrity check useless. As a result, attackers can tamper with the SSO cookie and supply arbitrary serialized Java objects without triggering validation failures. Because the vulnerable endpoint processes this data before authentication, it opens up the pre-auth RCE vector. SSO endpoints are often internet-facing by design, researchers noted, turning the flaw into a remote entry point and making chaining with additional weaknesses possible. AdminCenter flaws allow further escalation Beyond initial access, the research outlined critical issues within WebSphere Liberty’s administrative controls. The AdminCenter component, designed to enforce role-based access, contains multiple flaws that allow low-privileged users to access sensitive files and secrets. One issue, tracked under CVE-2025-14915, enables “reader”-level users to retrieve critical server files such as authentication keys, which can then be used to forge tokens and impersonate higher privileged users. Another problem (CVE-2025-14917) lies in hardcoded passwords protecting token-signing LTPA keys, alongside encryption utilities that ship with static keys ( CVE-2025-14923 ) across all modes. The rest of the chain includes an archive extraction flaw ( CVE-2025-14914 ) that can be abused to write files outside intended directories, alongside insecure handling (CVE unassigned) of configuration data where sensitive entries, like credentials “in server.xml,” can be retrieved or reused once access is gained. The researchers detailed the full chain, noting that a low-privileged “reader” user can extract or recover admin credentials from exposed configuration data, or alternatively forge an admin token using decrypted LTPA keys, gaining full administrative access. From there, the archive extraction flaw allows arbitrary file writes via Zip Slip-style attack, ultimately leading to remote code execution. IBM did not immediately respond to CSO’s request for comments on the disclosed attack chain. Other than applying necessary patches, Oligo urged organizations to rotate any secrets ever generated using “SecurityUtility,” as default XOR and AES modes make them effectively reversible, and to move to custom encryption keys going forward. It also recommended using auditing and limiting reader-role assignments, since those users can potentially escalate to full administrative access.