Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
5DescriptionCVE.org
IBM Total Storage Service Console (TSSC) / TS4500 IMC 9.2, 9.3, 9.4, 9.5, 9.6 TSSC/IMC could allow an unauthenticated user to execute arbitrary commands with normal user privileges on the system due to improper validation of user supplied input.
AnalysisAI
Remote code execution in IBM Total Storage Service Console (TSSC) and TS4500 IMC versions 9.2 through 9.6 allows unauthenticated attackers to execute arbitrary commands with normal user privileges via improper input validation. The vulnerability carries a CVSS score of 7.3 with network attack vector and low complexity (AV:N/AC:L/PR:N/UI:N), enabling remote exploitation without authentication. No public exploit identified at time of analysis, and EPSS risk data is not available for this 2026 CVE.
Technical ContextAI
This vulnerability affects IBM Total Storage Service Console (TSSC) and TS4500 Intelligent Management Console (IMC), enterprise-class tape storage management platforms used in data center environments. The root cause is CWE-78 (OS Command Injection), where the application fails to properly sanitize user-supplied input before passing it to system command execution functions. The affected versions span 9.2.0 through 9.6.0, representing multiple major and minor releases. Command injection vulnerabilities typically arise when web interfaces or API endpoints concatenate user input directly into shell commands without adequate validation, escaping, or parameterization. The CVSS vector indicates this is a network-accessible vulnerability requiring no authentication (PR:N) and no user interaction (UI:N), making it exploitable by any remote attacker who can reach the management console interface.
RemediationAI
Apply IBM's vendor-released security patch by upgrading to the fixed version specified in IBM support page node/7270127 (exact patched version not confirmed from available data - consult vendor advisory directly). Until patching is complete, implement network segmentation to restrict TSSC/IMC console access to trusted management networks only, blocking all internet and untrusted network access via firewall rules. Deploy web application firewall (WAF) rules to filter common command injection patterns in HTTP requests, though this provides only partial protection and may impact legitimate administrative functions. Monitor system logs for unusual command execution patterns or suspicious process creation from the TSSC/IMC application context. Disable any unused or non-essential features of the management console that accept external input. Organizations unable to patch immediately should consider temporarily isolating affected systems until remediation can be completed, weighing operational impact against security risk based on current network exposure.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25136
GHSA-7345-vwm6-q6vg