CVE-2025-14988 (GCVE-0-2025-14988)

Vulnerability from cvelistv5 – Published: 2026-01-27 20:08 – Updated: 2026-01-27 20:51
VLAI?
Title
Incorrect Permission Assignment for Critical Resource vulnerability in iba Systems ibaPDA
Summary
A security issue has been identified in ibaPDA that could allow unauthorized actions on the file system under certain conditions. This may impact the confidentiality, integrity, or availability of the system.
Severity ?
10 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CWE
  • CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
Impacted products
Vendor Product Version
iba Systems ibaPDA Affected: 8.12.0
Create a notification for this product.
Credits
Siemens reported this vulnerability to CISA.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-14988",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-27T20:33:02.951829Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-27T20:51:36.885Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "ibaPDA",
          "vendor": "iba Systems",
          "versions": [
            {
              "status": "affected",
              "version": "8.12.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Siemens reported this vulnerability to CISA."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA security issue has been identified in ibaPDA that could allow unauthorized actions on the file system under certain conditions. This may impact the confidentiality, integrity, or availability of the system.\u003c/span\u003e"
            }
          ],
          "value": "A security issue has been identified in ibaPDA that could allow unauthorized actions on the file system under certain conditions. This may impact the confidentiality, integrity, or availability of the system."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-732",
              "description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-27T20:08:54.853Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "government-resource"
          ],
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-01"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "iba Systems recommends users update to ibaPDA v8.12.1 or a later version.\u003cbr\u003e\u003cbr\u003eIf Installing the update is not possible, iba Systems recommends users: \u003cbr\u003e\u003cbr\u003e* Enable User Management: \u003cbr\u003eTo activate user management, navigate to User Management settings under the Configure option. Set a password for the admin user to enable user management.\u003cbr\u003e\u003cbr\u003eConfigure Server Access: \u003cbr\u003eTo configure, open Server Access Manager (found under Configure in the ibaPDA Client). Set the configuration to restrict access. For example, only 127.0.0.1 (localhost) or specific system IP addresses to communicate with ibaPDA can connect to the ibaPDA Server. (In this example, only connections from localhost are permitted to access ibaPDA.)\u003cbr\u003e\u003cbr\u003eRestrict Connections to Localhost (if ibaPDA is only accessed from the system where it runs): \u003cbr\u003e* Go to I/O Manager, then General, and deactivate the option \u201cAutomatically open necessary ports in Windows Firewall.\u201d (If this option remains active, after a restart of ibaPDA or a restart for data acquisition, the firewall will be reconfigured automatically.)\u003cbr\u003e* Then, go to Advanced Windows Firewall settings and delete or deactivate all incoming rules for the ibaPDA Client and Server.\u003cbr\u003e* Manually create firewall rules for the connection used for ibaPDA and verify that the correct ports are configured. For assistance with identifying the ports used by the ibaPDA service can be found in the iba Help Center.\u003cbr\u003e* Note: After making the changes, verify that all ibaPDA services are operating as expected and that the data acquisition is functioning correctly.\u003cbr\u003e"
            }
          ],
          "value": "iba Systems recommends users update to ibaPDA v8.12.1 or a later version.\n\nIf Installing the update is not possible, iba Systems recommends users: \n\n* Enable User Management: \nTo activate user management, navigate to User Management settings under the Configure option. Set a password for the admin user to enable user management.\n\nConfigure Server Access: \nTo configure, open Server Access Manager (found under Configure in the ibaPDA Client). Set the configuration to restrict access. For example, only 127.0.0.1 (localhost) or specific system IP addresses to communicate with ibaPDA can connect to the ibaPDA Server. (In this example, only connections from localhost are permitted to access ibaPDA.)\n\nRestrict Connections to Localhost (if ibaPDA is only accessed from the system where it runs): \n* Go to I/O Manager, then General, and deactivate the option \u201cAutomatically open necessary ports in Windows Firewall.\u201d (If this option remains active, after a restart of ibaPDA or a restart for data acquisition, the firewall will be reconfigured automatically.)\n* Then, go to Advanced Windows Firewall settings and delete or deactivate all incoming rules for the ibaPDA Client and Server.\n* Manually create firewall rules for the connection used for ibaPDA and verify that the correct ports are configured. For assistance with identifying the ports used by the ibaPDA service can be found in the iba Help Center.\n* Note: After making the changes, verify that all ibaPDA services are operating as expected and that the data acquisition is functioning correctly."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Incorrect Permission Assignment for Critical Resource vulnerability in iba Systems ibaPDA",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2025-14988",
    "datePublished": "2026-01-27T20:08:54.853Z",
    "dateReserved": "2025-12-19T20:07:46.829Z",
    "dateUpdated": "2026-01-27T20:51:36.885Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-14988\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2026-01-27T20:16:14.493\",\"lastModified\":\"2026-01-27T20:16:14.493\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A security issue has been identified in ibaPDA that could allow unauthorized actions on the file system under certain conditions. This may impact the confidentiality, integrity, or availability of the system.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-732\"}]}],\"references\":[{\"url\":\"https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-01\",\"source\":\"ics-cert@hq.dhs.gov\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-14988\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-27T20:33:02.951829Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-27T20:33:10.626Z\"}}], \"cna\": {\"title\": \"Incorrect Permission Assignment for Critical Resource vulnerability in iba Systems ibaPDA\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Siemens reported this vulnerability to CISA.\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 10, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"iba Systems\", \"product\": \"ibaPDA\", \"versions\": [{\"status\": \"affected\", \"version\": \"8.12.0\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"iba Systems recommends users update to ibaPDA v8.12.1 or a later version.\\n\\nIf Installing the update is not possible, iba Systems recommends users: \\n\\n* Enable User Management: \\nTo activate user management, navigate to User Management settings under the Configure option. Set a password for the admin user to enable user management.\\n\\nConfigure Server Access: \\nTo configure, open Server Access Manager (found under Configure in the ibaPDA Client). Set the configuration to restrict access. For example, only 127.0.0.1 (localhost) or specific system IP addresses to communicate with ibaPDA can connect to the ibaPDA Server. (In this example, only connections from localhost are permitted to access ibaPDA.)\\n\\nRestrict Connections to Localhost (if ibaPDA is only accessed from the system where it runs): \\n* Go to I/O Manager, then General, and deactivate the option \\u201cAutomatically open necessary ports in Windows Firewall.\\u201d (If this option remains active, after a restart of ibaPDA or a restart for data acquisition, the firewall will be reconfigured automatically.)\\n* Then, go to Advanced Windows Firewall settings and delete or deactivate all incoming rules for the ibaPDA Client and Server.\\n* Manually create firewall rules for the connection used for ibaPDA and verify that the correct ports are configured. For assistance with identifying the ports used by the ibaPDA service can be found in the iba Help Center.\\n* Note: After making the changes, verify that all ibaPDA services are operating as expected and that the data acquisition is functioning correctly.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"iba Systems recommends users update to ibaPDA v8.12.1 or a later version.\u003cbr\u003e\u003cbr\u003eIf Installing the update is not possible, iba Systems recommends users: \u003cbr\u003e\u003cbr\u003e* Enable User Management: \u003cbr\u003eTo activate user management, navigate to User Management settings under the Configure option. Set a password for the admin user to enable user management.\u003cbr\u003e\u003cbr\u003eConfigure Server Access: \u003cbr\u003eTo configure, open Server Access Manager (found under Configure in the ibaPDA Client). Set the configuration to restrict access. For example, only 127.0.0.1 (localhost) or specific system IP addresses to communicate with ibaPDA can connect to the ibaPDA Server. (In this example, only connections from localhost are permitted to access ibaPDA.)\u003cbr\u003e\u003cbr\u003eRestrict Connections to Localhost (if ibaPDA is only accessed from the system where it runs): \u003cbr\u003e* Go to I/O Manager, then General, and deactivate the option \\u201cAutomatically open necessary ports in Windows Firewall.\\u201d (If this option remains active, after a restart of ibaPDA or a restart for data acquisition, the firewall will be reconfigured automatically.)\u003cbr\u003e* Then, go to Advanced Windows Firewall settings and delete or deactivate all incoming rules for the ibaPDA Client and Server.\u003cbr\u003e* Manually create firewall rules for the connection used for ibaPDA and verify that the correct ports are configured. For assistance with identifying the ports used by the ibaPDA service can be found in the iba Help Center.\u003cbr\u003e* Note: After making the changes, verify that all ibaPDA services are operating as expected and that the data acquisition is functioning correctly.\u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-01\", \"tags\": [\"government-resource\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A security issue has been identified in ibaPDA that could allow unauthorized actions on the file system under certain conditions. This may impact the confidentiality, integrity, or availability of the system.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eA security issue has been identified in ibaPDA that could allow unauthorized actions on the file system under certain conditions. This may impact the confidentiality, integrity, or availability of the system.\u003c/span\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-732\", \"description\": \"CWE-732 Incorrect Permission Assignment for Critical Resource\"}]}], \"providerMetadata\": {\"orgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"shortName\": \"icscert\", \"dateUpdated\": \"2026-01-27T20:08:54.853Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-14988\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-27T20:51:36.885Z\", \"dateReserved\": \"2025-12-19T20:07:46.829Z\", \"assignerOrgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"datePublished\": \"2026-01-27T20:08:54.853Z\", \"assignerShortName\": \"icscert\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.