Seven IBM WebSphere Liberty Flaws Can Be Chained Into Full Takeover

IBM WebSphere Liberty, a lightweight Java application server favored by many enterprises, has become the focus of a serious security disclosure. Researchers from Oligo Security identified a pre‑authentication remote code execution flaw (CVE‑2026‑1561) in the platform’s SAML Web SSO component, where a malformed cookie bypasses integrity checks, granting attackers unauthenticated code execution. Because SSO endpoints are often exposed to the internet, this vulnerability serves as a low‑effort entry point that can be leveraged in broader attack scenarios, underscoring the inherent risk of internet‑facing authentication services.

The initial foothold is amplified by a series of AdminCenter weaknesses that allow a user with merely "reader" privileges to harvest critical server files, including authentication keys and LTPA token‑signing secrets (CVE‑2025‑14915, CVE‑2025‑14917, CVE‑2025‑14923). Armed with these secrets, attackers can forge admin‑level tokens or decrypt existing ones, effectively escalating to full administrative control. A subsequent archive extraction flaw (CVE‑2025‑14914) enables a Zip Slip‑style attack, permitting arbitrary file writes that culminate in remote code execution. The chained nature of these bugs illustrates how disparate, seemingly minor issues can combine into a full‑scale compromise.

IBM has responded with patches for all seven vulnerabilities and published hardening guidelines that stress secret rotation, custom encryption keys, and tighter role assignments. Enterprises should prioritize applying the updates, auditing existing reader‑role accounts, and rotating any keys generated with the default SecurityUtility settings. The incident serves as a reminder that comprehensive security hygiene—regular patch management, principle‑of‑least‑privilege access, and continuous monitoring—is vital for protecting critical middleware platforms in today’s threat landscape.