EUVD-2025-19137CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3Description
IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially crafted sequence of serialized objects.
Analysis
IBM WebSphere Application Server (WAS) versions 8.5 and 9.0 are vulnerable to remote code execution through deserialization of untrusted serialized objects, allowing unauthenticated network attackers to execute arbitrary code with high confidence despite moderate attack complexity. This is a critical Java deserialization vulnerability (CWE-502) affecting enterprise application servers in widespread use; exploitation status and EPSS probability are not yet public but the CVSS 9.0 score and network-accessible attack vector indicate this is a priority concern for organizations running affected WAS versions.
Technical Context
The vulnerability exploits unsafe Java object deserialization (CWE-502: Deserialization of Untrusted Data) in IBM WebSphere Application Server. Java deserialization attacks leverage gadget chains in available libraries to achieve remote code execution when an attacker can control the serialized object stream sent to the application. WAS versions 8.5 and 9.0 contain logic that deserializes objects from network input without proper validation, allowing an attacker to craft a malicious serialized payload that triggers arbitrary code execution during object reconstruction. The attack requires network access (AV:N) but has higher than trivial complexity (AC:H), likely due to the need to craft a specific gadget chain or exploit timing. This affects the core WAS runtime and potentially impacts both standalone and distributed deployments (clustered environments noted in CVSS:S:C scope change).
Affected Products
IBM WebSphere Application Server 8.5 (all maintenance levels and fix packs released prior to patch availability); IBM WebSphere Application Server 9.0 (all versions prior to patch availability). CPE entries likely include: cpe:2.3:a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:* and cpe:2.3:a:ibm:websphere_application_server:9.0:*:*:*:*:*:*:*. Potentially affected: WAS deployments on Linux, Windows, AIX, and other supported platforms; clustered/distributed topologies where serialization is used for object transmission between nodes; applications using WAS's built-in RMI, JMX, or cluster communication channels. Note: WAS 7.0 and earlier, and WAS 8.0 (end-of-support) status unclear from description; WAS 9.0.5.x and later versions' status unknown pending vendor advisory.
Remediation
Immediate actions: (1) Apply IBM security patch when released (monitor IBM Security Bulletin and WAS security advisories at ibm.com/support); (2) For WAS 8.5: upgrade to latest fix pack or migrate to supported WAS 9.0.5.x or newer if available after patches are released; (3) For WAS 9.0: apply interim fix or upgrade to 9.0.5.x+ (patch version TBD pending vendor release). Interim mitigations pending patch availability: (a) Network segmentation—restrict network access to WAS administrative ports and cluster communication ports to trusted networks only; (b) Disable unnecessary RMI/JMX interfaces if not required; (c) Implement Web Application Firewall (WAF) rules to block serialized object signatures in HTTP payloads (proactive, not guaranteed); (d) Monitor for unusual deserialization errors in logs. Workaround: none definitive; patch is mandatory. Vendor advisory: await IBM WebSphere Application Server security bulletin (typically at ibm.com/support/pages/security-bulletins).
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today