CVE-2025-36124 – IBM WebSphere Application Server Liberty versio... (How to Fix)

Q: What is the severity of CVE-2025-36124?

CVE-2025-36124 has a CVSS score of 5.9 (MEDIUM). IBM WebSphere Application Server Liberty versions 17.0.0.3 through 25.0.0.8 contain a vulnerability where JMS messaging configuration is not properly enforced, allowing remote attackers to bypass security restrictions. This affects organizations using these versions with JMS messaging enabled.

📋 TL;DR

IBM WebSphere Application Server Liberty versions 17.0.0.3 through 25.0.0.8 contain a vulnerability where JMS messaging configuration is not properly enforced, allowing remote attackers to bypass security restrictions. This affects organizations using these versions with JMS messaging enabled.

💻 Affected Systems

Products:

IBM WebSphere Application Server Liberty

Versions: 17.0.0.3 through 25.0.0.8

Operating Systems: All supported platforms

Default Config Vulnerable: ✅ No

Notes: Only affects systems with JMS messaging configured and enabled

📦 What is this software?

Websphere Application Server by Ibm

View all CVEs affecting Websphere Application Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could bypass authentication or authorization controls to access restricted JMS resources, potentially leading to unauthorized message consumption, injection, or data exposure.

🟠

Likely Case

Attackers could bypass intended JMS security policies to access messaging queues/topics they shouldn't have access to, potentially reading or injecting messages.

🟢

If Mitigated

With proper network segmentation and JMS security configurations, impact is limited to potential policy bypass within already-trusted network segments.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires knowledge of JMS configuration and access to the messaging interface

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 25.0.0.9 and later, or apply interim fix

Vendor Advisory: https://www.ibm.com/support/pages/node/7242027

Restart Required: Yes

Instructions:

1. Upgrade to Liberty 25.0.0.9 or later. 2. Apply IBM interim fix if available. 3. Restart the Liberty server.

🔧 Temporary Workarounds

Disable JMS messaging

all

Temporarily disable JMS messaging features if not required

Modify server.xml to remove or comment out JMS messaging configuration

Restrict network access

all

Limit network access to JMS ports and interfaces

Configure firewall rules to restrict access to JMS ports (typically 7276, 7286, 5556)

🧯 If You Can't Patch

Implement strict network segmentation around Liberty servers
Enhance JMS security with additional authentication layers

🔍 How to Verify

Check if Vulnerable:

Check Liberty version using server command: server version

Check Version:

server version

Verify Fix Applied:

Verify version is 25.0.0.9 or later, or check for applied interim fixes

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to JMS resources
JMS security policy violations
Unexpected JMS connection patterns

Network Indicators:

Unusual traffic to JMS ports (7276, 7286, 5556)
JMS protocol anomalies

SIEM Query:

source="liberty.log" AND ("JMS security" OR "access denied" OR "unauthorized")

📊 Metadata

CVE ID: CVE-2025-36124

CVSS v3 Score: 5.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-268

EPSS Score: 0.04% exploit probability (10.8th percentile)

Published: August 12, 2025

Last Updated: August 14, 2025

🔗 References

https://www.ibm.com/support/pages/node/7242027 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-36124, you might also want to check these: