Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Unauthenticated remote XML submission to a default parser gives AV:N/AC:L/PR:N/UI:N; XXE yields file disclosure (C:H) and memory-exhaustion DoS (A:H) with no integrity impact (I:N).
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
6DescriptionNVD
IBM Business Automation Manager Open Editions 9.0.0 through 9.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
AnalysisAI
XML external entity (XXE) injection in IBM Business Automation Manager Open Editions 9.0.0 through 9.4.2 lets a remote, unauthenticated attacker submit crafted XML to the application's XML parser to read sensitive files or exhaust memory. The flaw carries a CVSS 9.1 (high confidentiality and availability impact) but has no public exploit identified at time of analysis, and EPSS is low at 0.39% (31st percentile). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires reaching a BAMOE 9.0.0-9.4.2 interface that parses attacker-supplied XML (its process/decision model ingestion or XML-accepting APIs) and that the underlying parser has external-entity/DTD resolution enabled - the CWE-611 condition. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are mixed and point to elevated theoretical severity but modest immediate urgency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network reach to a BAMOE endpoint that accepts XML sends a crafted document containing an external entity referencing a local file (e.g. an OS credential or configuration file), causing the server to return or leak the file contents; alternatively the attacker submits a deeply nested/expanding entity to exhaust server memory. … |
| Remediation | Consult the IBM advisory at https://www.ibm.com/support/pages/node/7278532 for the fixed release and upgrade beyond the affected 9.0.0-9.4.2 range; a patch is available per the vendor advisory, though an exact fixed version number is not stated in the available data and should be confirmed directly from IBM before planning the upgrade. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running IBM Business Automation Manager 9.0.0-9.4.2 and document network exposure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40389
GHSA-v868-4m83-h5w3