Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Adjacent vector because attacker must impersonate WAS on the plug-in's network; AC:H reflects the spoofing/positioning prerequisite; PR:N and UI:N since no credentials or user action needed; full CIA impact on the plug-in host.
Primary rating from Vendor (ibm).
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionNVD
IBM i 7.6, 7.5, 7.4, and 7.3, IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to remote code execution and denial of service in the WebSphere Web Server Plug-in component. This vulnerability can be exploited when an attacker impersonates the application server and sends crafted responses to the plug-in.
AnalysisAI
Remote code execution and denial of service in the IBM WebSphere Web Server Plug-in shipped with IBM i 7.3, 7.4, 7.5, and 7.6 (through 1.8.4) allows an attacker positioned on the adjacent network to abuse the plug-in's handling of responses from an upstream WebSphere Application Server. By impersonating the application server and returning crafted responses, the attacker can trigger code injection (CWE-94) against the plug-in, leading to full compromise of confidentiality, integrity, and availability. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must be on the same adjacent network segment as the WebSphere Web Server Plug-in host and able to impersonate the upstream IBM WebSphere Application Server or WAS Liberty instance (e.g., via ARP/DNS spoofing, a compromised adjacent host, or sitting on the plug-in-to-WAS path), and must induce the plug-in to process a crafted response from the spoofed backend; the affected configuration is any IBM i 7.3/7.4/7.5/7.6 deployment running the WebSphere Web Server Plug-in at version ≤1.8.4. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The 8.8 CVSS base score and the SSVC 'total' technical impact rating both signal that successful exploitation yields a complete takeover of the web-server/plug-in process, which typically runs with significant privileges in front of business-critical Java workloads. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has gained a foothold on the internal network between an IHS/Apache front-end and the WebSphere Application Server (for example via a compromised adjacent host, ARP spoofing, or rogue DHCP) impersonates the legitimate WAS endpoint and replies to plug-in requests with a crafted response that triggers the code-injection flaw inside the plug-in process. Successful exploitation lets the attacker execute arbitrary code in the context of the web-tier server or crash the plug-in to deny service to all hosted applications. … |
| Remediation | Patch available per vendor advisory - apply the IBM-provided fix for the WebSphere Web Server Plug-in on IBM i 7.3, 7.4, 7.5, and 7.6 as documented at https://www.ibm.com/support/pages/node/7277344, upgrading the plug-in past the 1.8.4 vulnerable level on every web-tier host that fronts WAS or Liberty. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all IBM i 7.3-7.6 systems running WebSphere Web Server Plug-in version 1.8.4 or earlier and assess adjacent network exposure from untrusted segments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38284
GHSA-mfq9-47xf-5654