CVE-2025-14806 is a vulnerability classified under CWE-524 (Use of Cache Containing Sensitive Information) affecting IBM Planning Analytics Local versions 2.1.0 through 2.1.17. The issue arises from the product's caching mechanism, which can be manipulated by an attacker to store and serve sensitive, user-specific responses as publicly cacheable resources. This means that confidential data intended for a particular user could be cached and subsequently accessed by other users or unauthorized parties. The vulnerability requires network access (AV:N), low attack complexity (AC:L), and privileges (PR:L), along with user interaction (UI:R). The scope is unchanged (S:U), and the impact is high on confidentiality (C:H), with no impact on integrity (I:N) or availability (A:N). The flaw could lead to unauthorized disclosure of sensitive business analytics data, potentially exposing proprietary or personal information. Although no public exploits are known, the vulnerability's nature makes it a concern for organizations relying on IBM Planning Analytics Local for critical financial and operational planning. The absence of patches at the time of reporting necessitates immediate attention to alternative mitigations.

The primary impact of CVE-2025-14806 is the unauthorized disclosure of sensitive information due to improper caching. Organizations using IBM Planning Analytics Local risk exposing confidential business analytics data, which could include financial forecasts, strategic plans, or personally identifiable information. Such data leakage can lead to competitive disadvantage, regulatory compliance violations (e.g., GDPR, HIPAA), reputational damage, and potential legal consequences. Since the vulnerability does not affect data integrity or system availability, the threat is confined to confidentiality breaches. However, the ease of exploitation—requiring only low privileges and user interaction—means insider threats or phishing attacks could trigger data exposure. The scope is limited to affected versions, but given IBM Planning Analytics' use in finance and enterprise planning worldwide, the impact could be significant for organizations relying on these versions without mitigations.

To mitigate CVE-2025-14806, organizations should first verify if they are running IBM Planning Analytics Local versions 2.1.0 through 2.1.17 and plan for immediate upgrade once patches become available. In the interim, administrators should review and tighten caching policies to ensure sensitive responses are not marked as publicly cacheable. This can include configuring cache-control headers to prevent caching of user-specific or sensitive data, disabling caching on endpoints serving confidential information, or implementing reverse proxy rules to control cache behavior. Additionally, monitoring and logging access to cached resources can help detect anomalous access patterns. Limiting user privileges and educating users about phishing and social engineering risks can reduce the chance of exploitation requiring user interaction. Network segmentation and access controls should be enforced to restrict exposure of the affected service to trusted users only. Finally, coordinate with IBM support for any recommended workarounds or updates.