Skip to main content

IBM TSSC/TS4500 IMC CVE-2026-5935

| EUVDEUVD-2026-25136 HIGH
OS Command Injection (CWE-78)
2026-04-23 psirt@us.ibm.com GHSA-7345-vwm6-q6vg
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

5
Re-analysis Queued
Apr 24, 2026 - 14:52 vuln.today
cvss_changed
Analysis Generated
Apr 23, 2026 - 06:47 vuln.today
EUVD ID Assigned
Apr 23, 2026 - 00:22 euvd
EUVD-2026-25136
Analysis Generated
Apr 23, 2026 - 00:22 vuln.today
CVE Published
Apr 23, 2026 - 00:16 nvd
HIGH 7.3

DescriptionCVE.org

IBM Total Storage Service Console (TSSC) / TS4500 IMC 9.2, 9.3, 9.4, 9.5, 9.6 TSSC/IMC could allow an unauthenticated user to execute arbitrary commands with normal user privileges on the system due to improper validation of user supplied input.

AnalysisAI

Remote code execution in IBM Total Storage Service Console (TSSC) and TS4500 IMC versions 9.2 through 9.6 allows unauthenticated attackers to execute arbitrary commands with normal user privileges via improper input validation. The vulnerability carries a CVSS score of 7.3 with network attack vector and low complexity (AV:N/AC:L/PR:N/UI:N), enabling remote exploitation without authentication. No public exploit identified at time of analysis, and EPSS risk data is not available for this 2026 CVE.

Technical ContextAI

This vulnerability affects IBM Total Storage Service Console (TSSC) and TS4500 Intelligent Management Console (IMC), enterprise-class tape storage management platforms used in data center environments. The root cause is CWE-78 (OS Command Injection), where the application fails to properly sanitize user-supplied input before passing it to system command execution functions. The affected versions span 9.2.0 through 9.6.0, representing multiple major and minor releases. Command injection vulnerabilities typically arise when web interfaces or API endpoints concatenate user input directly into shell commands without adequate validation, escaping, or parameterization. The CVSS vector indicates this is a network-accessible vulnerability requiring no authentication (PR:N) and no user interaction (UI:N), making it exploitable by any remote attacker who can reach the management console interface.

RemediationAI

Apply IBM's vendor-released security patch by upgrading to the fixed version specified in IBM support page node/7270127 (exact patched version not confirmed from available data - consult vendor advisory directly). Until patching is complete, implement network segmentation to restrict TSSC/IMC console access to trusted management networks only, blocking all internet and untrusted network access via firewall rules. Deploy web application firewall (WAF) rules to filter common command injection patterns in HTTP requests, though this provides only partial protection and may impact legitimate administrative functions. Monitor system logs for unusual command execution patterns or suspicious process creation from the TSSC/IMC application context. Disable any unused or non-essential features of the management console that accept external input. Organizations unable to patch immediately should consider temporarily isolating affected systems until remediation can be completed, weighing operational impact against security risk based on current network exposure.

Share

CVE-2026-5935 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy