CVE-2025-33142: 
IBM WebSphere Application Server vulnerability analysis and mitigation

IBM WebSphere Application Server 8.5 and 9.0 could provide weaker than expected security for TLS connections. The vulnerability, identified as CVE-2025-33142, was discovered and disclosed on August 14, 2025. The vulnerability affects IBM WebSphere Application Server versions 8.5 (from 8.5.0.0 to 8.5.5.28) and 9.0 (from 9.0.0.0 to 9.0.5.24) across multiple operating systems including AIX, HP-UX, IBM i, Linux, Solaris, Windows, and z/OS (IBM Security Bulletin).

The vulnerability is classified as CWE-295 (Improper Certificate Validation) with a CVSS v3.1 base score of 7.5 (HIGH) according to NVD assessment (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), while IBM's own assessment rates it at 5.3 (MEDIUM) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N. The vulnerability specifically relates to TLS connection security, potentially resulting in weaker than expected security mechanisms (NVD).

The vulnerability could lead to compromised security of TLS connections in affected WebSphere Application Server installations. With a High CVSS score for confidentiality impact, this vulnerability could potentially expose sensitive information transmitted over TLS connections (NVD).

IBM recommends addressing the vulnerability by either applying an interim fix containing the fix for APAR PH66167, or upgrading to Fix Pack 9.0.5.25 or later (targeted for 3Q2025) for version 9.0, or Fix Pack 8.5.5.29 or later (targeted for 1Q2026) for version 8.5. For V9.0.0.0 through 9.0.5.24 and V8.5.0.0 through 8.5.5.28, users should upgrade to minimal fix pack levels as required by the interim fix (IBM Security Bulletin).