cvelistv5 - cve-2025-14115

CVE-2025-14115 (GCVE-0-2025-14115)

Vulnerability from cvelistv5

Published

2026-01-20 14:59

Modified

2026-02-26 14:44

Severity ?

8.4 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-798 - Use of Hard-coded Credentials

Summary

IBM Sterling Connect:Direct for UNIX Container 6.3.0.0 through 6.3.0.6 Interim Fix 016, and 6.4.0.0 through 6.4.0.3 Interim Fix 019 IBM® Sterling Connect:Direct for UNIX contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

References

URL

Tags

https://www.ibm.com/support/pages/node/7257143

vendor-advisory, patch

Impacted products

	Vendor	Product	Version
	IBM	Sterling Connect:Direct for UNIX Container	Version: 6.3.0.0 ≤ 6.3.0.6 Interim Fix 016 Version: 6.4.0.0 ≤ 6.4.0.3 Interim Fix 019 cpe:2.3:a:ibm:sterling_connectdirect_for_unix_container:6.3.0.0:::::::* cpe:2.3:a:ibm:sterling_connectdirect_for_unix_container:6.3.0.6:interim_fix_016:::::: cpe:2.3:a:ibm:sterling_connectdirect_for_unix_container:6.4.0.0:::::::* cpe:2.3:a:ibm:sterling_connectdirect_for_unix_container:6.4.0.3:interim_fix_019::::::

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-14115",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-21T04:55:23.620986Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T14:44:44.315Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:ibm:sterling_connectdirect_for_unix_container:6.3.0.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:sterling_connectdirect_for_unix_container:6.3.0.6:interim_fix_016:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:sterling_connectdirect_for_unix_container:6.4.0.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:sterling_connectdirect_for_unix_container:6.4.0.3:interim_fix_019:*:*:*:*:*:*"
          ],
          "product": "Sterling Connect:Direct for UNIX Container",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "6.3.0.6 Interim Fix 016",
              "status": "affected",
              "version": "6.3.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.4.0.3 Interim Fix 019",
              "status": "affected",
              "version": "6.4.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIBM Sterling Connect:Direct for UNIX Container 6.3.0.0 through 6.3.0.6 Interim Fix 016, and 6.4.0.0 through 6.4.0.3 Interim Fix 019 IBM\u00ae Sterling Connect:Direct for UNIX contains hard-coded credentials, such as a password or cryptographic key, which it uses for\u0026nbsp;its own inbound authentication, outbound communication to external components, or encryption of\u0026nbsp;internal data.\u003c/p\u003e"
            }
          ],
          "value": "IBM Sterling Connect:Direct for UNIX Container 6.3.0.0 through 6.3.0.6 Interim Fix 016, and 6.4.0.0 through 6.4.0.3 Interim Fix 019 IBM\u00ae Sterling Connect:Direct for UNIX contains hard-coded credentials, such as a password or cryptographic key, which it uses for\u00a0its own inbound authentication, outbound communication to external components, or encryption of\u00a0internal data."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-798",
              "description": "CWE-798 Use of Hard-coded Credentials",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-20T14:59:15.938Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://www.ibm.com/support/pages/node/7257143"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIBM strongly recommends addressing the vulnerability now by upgrading. Product(s) Version(s) APAR Remediation/Fix IBM Sterling Connect:Direct for UNIX Container 6.3.0.0 to 6.3.0.6_iFix016 IT48880 Apply 6.3.0.6_iFix017, see Downloading the IBM Sterling Connect:Direct for Unix Container IBM Sterling Connect:Direct for UNIX Container 6.4.0.0 to 6.4.0.3_iFix019 IT48880 Apply 6.4.0.4, see Downloading the IBM Sterling Connect:Direct for Unix Container For unsupported versions IBM recommends upgrading to a fixed, supported version of the product.\u003c/p\u003e"
            }
          ],
          "value": "IBM strongly recommends addressing the vulnerability now by upgrading. Product(s) Version(s) APAR Remediation/Fix IBM Sterling Connect:Direct for UNIX Container 6.3.0.0 to 6.3.0.6_iFix016 IT48880 Apply 6.3.0.6_iFix017, see Downloading the IBM Sterling Connect:Direct for Unix Container IBM Sterling Connect:Direct for UNIX Container 6.4.0.0 to 6.4.0.3_iFix019 IT48880 Apply 6.4.0.4, see Downloading the IBM Sterling Connect:Direct for Unix Container For unsupported versions IBM recommends upgrading to a fixed, supported version of the product."
        }
      ],
      "title": "IBM Sterling Connect:Direct for UNIX Container is affected by vulnerability where hard-coded credentials are embeeded in the product for its internal use.",
      "x_generator": {
        "engine": "ibm-cvegen"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2025-14115",
    "datePublished": "2026-01-20T14:59:15.938Z",
    "dateReserved": "2025-12-05T15:14:31.863Z",
    "dateUpdated": "2026-02-26T14:44:44.315Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-14115\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-21T04:55:23.620986Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-20T15:58:41.180Z\"}}], \"cna\": {\"title\": \"IBM Sterling Connect:Direct for UNIX Container is affected by vulnerability where hard-coded credentials are embeeded in the product for its internal use.\", \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.4, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:ibm:sterling_connectdirect_for_unix_container:6.3.0.0:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:sterling_connectdirect_for_unix_container:6.3.0.6:interim_fix_016:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:sterling_connectdirect_for_unix_container:6.4.0.0:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:sterling_connectdirect_for_unix_container:6.4.0.3:interim_fix_019:*:*:*:*:*:*\"], \"vendor\": \"IBM\", \"product\": \"Sterling Connect:Direct for UNIX Container\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.3.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.3.0.6 Interim Fix 016\"}, {\"status\": \"affected\", \"version\": \"6.4.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.4.0.3 Interim Fix 019\"}]}], \"solutions\": [{\"lang\": \"en\", \"value\": \"IBM strongly recommends addressing the vulnerability now by upgrading. Product(s) Version(s) APAR Remediation/Fix IBM Sterling Connect:Direct for UNIX Container 6.3.0.0 to 6.3.0.6_iFix016 IT48880 Apply 6.3.0.6_iFix017, see Downloading the IBM Sterling Connect:Direct for Unix Container IBM Sterling Connect:Direct for UNIX Container 6.4.0.0 to 6.4.0.3_iFix019 IT48880 Apply 6.4.0.4, see Downloading the IBM Sterling Connect:Direct for Unix Container For unsupported versions IBM recommends upgrading to a fixed, supported version of the product.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eIBM strongly recommends addressing the vulnerability now by upgrading. Product(s) Version(s) APAR Remediation/Fix IBM Sterling Connect:Direct for UNIX Container 6.3.0.0 to 6.3.0.6_iFix016 IT48880 Apply 6.3.0.6_iFix017, see Downloading the IBM Sterling Connect:Direct for Unix Container IBM Sterling Connect:Direct for UNIX Container 6.4.0.0 to 6.4.0.3_iFix019 IT48880 Apply 6.4.0.4, see Downloading the IBM Sterling Connect:Direct for Unix Container For unsupported versions IBM recommends upgrading to a fixed, supported version of the product.\u003c/p\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.ibm.com/support/pages/node/7257143\", \"tags\": [\"vendor-advisory\", \"patch\"]}], \"x_generator\": {\"engine\": \"ibm-cvegen\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"IBM Sterling Connect:Direct for UNIX Container 6.3.0.0 through 6.3.0.6 Interim Fix 016, and 6.4.0.0 through 6.4.0.3 Interim Fix 019 IBM\\u00ae Sterling Connect:Direct for UNIX contains hard-coded credentials, such as a password or cryptographic key, which it uses for\\u00a0its own inbound authentication, outbound communication to external components, or encryption of\\u00a0internal data.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eIBM Sterling Connect:Direct for UNIX Container 6.3.0.0 through 6.3.0.6 Interim Fix 016, and 6.4.0.0 through 6.4.0.3 Interim Fix 019 IBM\\u00ae Sterling Connect:Direct for UNIX contains hard-coded credentials, such as a password or cryptographic key, which it uses for\u0026nbsp;its own inbound authentication, outbound communication to external components, or encryption of\u0026nbsp;internal data.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-798\", \"description\": \"CWE-798 Use of Hard-coded Credentials\"}]}], \"providerMetadata\": {\"orgId\": \"9a959283-ebb5-44b6-b705-dcc2bbced522\", \"shortName\": \"ibm\", \"dateUpdated\": \"2026-01-20T14:59:15.938Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-14115\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-26T14:44:44.315Z\", \"dateReserved\": \"2025-12-05T15:14:31.863Z\", \"assignerOrgId\": \"9a959283-ebb5-44b6-b705-dcc2bbced522\", \"datePublished\": \"2026-01-20T14:59:15.938Z\", \"assignerShortName\": \"ibm\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

CERTFR-2026-AVI-0061

Vulnerability from certfr_avis

De multiples vulnérabilités ont été découvertes dans les produits IBM. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité et un problème de sécurité non spécifié par l'éditeur.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
IBM	Sterling	Sterling External Authentication Server versions 6.1.1.x antérieures à 6.1.1.2 GA
IBM	WebSphere Automation	WebSphere Automation versions 1.x antérieures à 1.11.1
IBM	Sterling	Sterling Connect:Direct for UNIX Container versions 6.3.x antérieures à 6.3.0.6_iFix017
IBM	Sterling	Sterling Connect:Direct for UNIX Container versions 6.4.x antérieures à 6.4.0.4

References

Title

Publication Time

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted