CVE-2025-27907: 
IBM WebSphere Application Server vulnerability analysis and mitigation

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to server-side request forgery (SSRF), identified as CVE-2025-27907. The vulnerability was disclosed on April 22, 2025, affecting multiple platforms including AIX, HP-UX, IBM i, Linux, Solaris, Windows, and z/OS (IBM Bulletin, NVD).

The vulnerability is classified as a Server-Side Request Forgery (SSRF) issue (CWE-918). IBM has assigned a CVSS Base score of 4.1 (Medium) with the vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N. This scoring indicates that the vulnerability requires high privileges to exploit, has network access vector, low attack complexity, and can potentially lead to limited confidentiality breach (IBM Bulletin, Wiz).

The vulnerability may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. The impact is primarily limited to confidentiality breaches, with no direct impact on integrity or availability of the system (IBM Bulletin).

IBM recommends addressing the vulnerability by applying available fixes. For WebSphere Application Server V9.0.0.0 through 9.0.5.23, users should either upgrade to Fix Pack 9.0.5.24 or later (targeted for 2Q2025) or apply the Interim Fix for APAR PH65941. For V8.5.0.0 through 8.5.5.27, users should upgrade to Fix Pack 8.5.5.28 or later (targeted for 3Q2025) or apply the Interim Fix for APAR PH65941. No workarounds are available for this vulnerability (IBM Bulletin).

The vulnerability was reported to IBM by security researcher Simon Baeg (IBM Bulletin).