Skip to main content

IBM WebSphere Plug-in CVE-2026-9072

| EUVDEUVD-2026-38286 CRITICAL
Code Injection (CWE-94)
2026-06-22 ibm GHSA-m4cj-h36g-cxjg
9.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (ibm) PRIMARY
HIGH
qualitative
NVD
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

Adjacent network and high complexity because attacker must impersonate a backend WAS server on the internal app-tier segment; no auth or UI needed; full RCE impact.

3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (ibm).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jun 23, 2026 - 21:00 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 23, 2026 - 21:00 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 23, 2026 - 20:52 vuln.today
cvss_changed
Severity Changed
Jun 23, 2026 - 20:52 NVD
HIGH CRITICAL
CVSS changed
Jun 23, 2026 - 20:52 NVD
8.1 (HIGH) 9.8 (CRITICAL)
Analysis Generated
Jun 22, 2026 - 16:02 vuln.today

DescriptionNVD

IBM i 7.6, 7.5, 7.4, and 7.3, IBM WebSphere Application Server, and IBM WebSphere Application Server Liberty - when using Intelligent Management with the WebSphere WebServer Plug-in component - are vulnerable to remote code execution and denial of service. This vulnerability can be exploited when an attacker impersonates backend servers and sends crafted responses to the plug-in.

AnalysisAI

Remote code execution and denial of service in IBM WebSphere Application Server and WebSphere Application Server Liberty (including IBM i 7.3-7.6) occurs when the WebServer Plug-in component is deployed with Intelligent Management enabled. An attacker who can impersonate a backend application server and return crafted responses can trigger code injection (CWE-94) against the plug-in, yielding full confidentiality, integrity, and availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain foothold on internal app-tier network
Delivery
Identify plug-in with Intelligent Management enabled
Exploit
Impersonate registered backend WebSphere server
Execution
Send crafted Intelligent Management response
Persist
Trigger CWE-94 code injection in plug-in
Impact
Execute code in web server process or crash plug-in

Vulnerability AssessmentAI

Exploitation Exploitation requires three concrete prerequisites drawn from the description: (1) a target deployment of IBM WebSphere Application Server, WebSphere Application Server Liberty, or IBM i 7.3/7.4/7.5/7.6 that uses the WebSphere WebServer Plug-in, (2) the Intelligent Management feature must be explicitly enabled in the plug-in configuration - default plug-in deployments without Intelligent Management are not affected, and (3) the attacker must achieve a network position that lets them impersonate one of the configured backend WebSphere application servers to the plug-in (typically meaning ARP/DNS/IP spoofing on the internal app-tier network, or otherwise hijacking the backend response channel). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals diverge sharply: NVD CVSS 3.1 is 9.8 (AV:N/AC:L/PR:N/UI:N, C/I/A all High), yet EPSS exploitation probability is only 0.38% (30th percentile) and CISA SSVC reports Exploitation=none and Automatable=no with Technical Impact=total. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has gained a foothold on the internal network segment between the web tier and WebSphere backends (for example via a compromised internal host or an SSRF primitive in another app) spoofs the IP/port of a registered WAS backend server and waits for the plug-in to send a request. They reply with a crafted Intelligent Management response containing the malicious payload that triggers CWE-94 code injection in the plug-in process, achieving code execution inside the front-end HTTP server (or crashing it for denial of service). …
Remediation Patch available per vendor advisory - apply the fixes referenced in IBM Support note https://www.ibm.com/support/pages/node/7277344 for the affected IBM i 7.3 / 7.4 / 7.5 / 7.6 releases and the corresponding WebSphere Application Server and Liberty WebServer Plug-in builds (the EUVD entry indicates IBM i 7.6 must be moved past 1.8.4); exact build numbers should be taken from IBM's advisory rather than this analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all IBM WebSphere Application Server deployments (IBM i 7.3-7.6 and WAS/Liberty) with WebServer Plug-in and Intelligent Management enabled. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9072 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy