What is the CVSS score of CVE-2025-36038?

CVE-2025-36038 has a CVSS 3.1 base score of 9.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.4%.

Which versions of Java are affected by CVE-2025-36038?

A critical remote code execution vulnerability affects IBM WebSphere Application Server versions 8.5 and 9.0, allowing unauthenticated attackers to execute arbitrary code through malicious serialized…

How to fix or mitigate CVE-2025-36038?

Within 24 hours: Identify all systems running WebSphere 8.5/9.0 and isolate them from untrusted networks; enable enhanced logging and monitoring for serialization activities. Within 7 days: Deploy network segmentation or WAF rules to restrict object deserialization inputs; disable remote JMX and RMI ports if not operationally critical; implement compensating controls listed below. Within 30 days: Develop upgrade or replacement timeline for affected systems; prioritize migration to patched versions (9.0.5.x or later) or alternative application servers; conduct security assessment of potentially compromised systems.

Java CVE-2025-36038

EUVD-2025-19137 CRITICAL

Deserialization of Untrusted Data (CWE-502)

2025-06-25 psirt@us.ibm.com

RCE Java Deserialization IBM Websphere Application Server

9.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 23:19 euvd

EUVD-2025-19137

Analysis Generated

Mar 15, 2026 - 23:19 vuln.today

CVE Published

Jun 25, 2025 - 21:15 nvd

CRITICAL 9.0

DescriptionNVD

IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially crafted sequence of serialized objects.

AnalysisAI

IBM WebSphere Application Server (WAS) versions 8.5 and 9.0 are vulnerable to remote code execution through deserialization of untrusted serialized objects, allowing unauthenticated network attackers to execute arbitrary code with high confidence despite moderate attack complexity. This is a critical Java deserialization vulnerability (CWE-502) affecting enterprise application servers in widespread use; exploitation status and EPSS probability are not yet public but the CVSS 9.0 score and network-accessible attack vector indicate this is a priority concern for organizations running affected WAS versions.

Technical ContextAI

The vulnerability exploits unsafe Java object deserialization (CWE-502: Deserialization of Untrusted Data) in IBM WebSphere Application Server. Java deserialization attacks leverage gadget chains in available libraries to achieve remote code execution when an attacker can control the serialized object stream sent to the application. WAS versions 8.5 and 9.0 contain logic that deserializes objects from network input without proper validation, allowing an attacker to craft a malicious serialized payload that triggers arbitrary code execution during object reconstruction. The attack requires network access (AV:N) but has higher than trivial complexity (AC:H), likely due to the need to craft a specific gadget chain or exploit timing. This affects the core WAS runtime and potentially impacts both standalone and distributed deployments (clustered environments noted in CVSS:S:C scope change).

RemediationAI

Immediate actions: (1) Apply IBM security patch when released (monitor IBM Security Bulletin and WAS security advisories at ibm.com/support); (2) For WAS 8.5: upgrade to latest fix pack or migrate to supported WAS 9.0.5.x or newer if available after patches are released; (3) For WAS 9.0: apply interim fix or upgrade to 9.0.5.x+ (patch version TBD pending vendor release). Interim mitigations pending patch availability: (a) Network segmentation—restrict network access to WAS administrative ports and cluster communication ports to trusted networks only; (b) Disable unnecessary RMI/JMX interfaces if not required; (c) Implement Web Application Firewall (WAF) rules to block serialized object signatures in HTTP payloads (proactive, not guaranteed); (d) Monitor for unusual deserialization errors in logs. Workaround: none definitive; patch is mandatory. Vendor advisory: await IBM WebSphere Application Server security bulletin (typically at ibm.com/support/pages/security-bulletins).

More from same product – last 7 days

CVE-2026-7524 CRITICAL Act Now

9.8 May 27

Remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.1 lets unauthenticated network attackers run arbitr

CVE-2026-8175 CRITICAL Act Now

9.8 May 27

Remote code execution and authentication bypass are possible in IBM Aspera High-Speed Transfer Server and High-Speed Tra

CVE-2026-7876 CRITICAL Act Now

9.1 May 27

Authentication bypass in IBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I) versions 1.5.1 throu

CVE-2026-5065 HIGH This Week

8.8 May 27

Hard-coded credentials in IBM Controller (versions 11.0.1, 11.1.0, 11.1.1, and 11.1.2) give attackers a static, embedded

CVE-2026-8179 HIGH This Week

8.8 May 27

Arbitrary code execution in IBM Aspera High-Speed Transfer Server and Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1)

CVE-2025-36038 vulnerability details – vuln.today

Back

Java CVE-2025-36038

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code