Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Adjacent network and high complexity because attacker must impersonate a backend WAS server on the internal app-tier segment; no auth or UI needed; full RCE impact.
Primary rating from Vendor (ibm).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionNVD
IBM i 7.6, 7.5, 7.4, and 7.3, IBM WebSphere Application Server, and IBM WebSphere Application Server Liberty - when using Intelligent Management with the WebSphere WebServer Plug-in component - are vulnerable to remote code execution and denial of service. This vulnerability can be exploited when an attacker impersonates backend servers and sends crafted responses to the plug-in.
AnalysisAI
Remote code execution and denial of service in IBM WebSphere Application Server and WebSphere Application Server Liberty (including IBM i 7.3-7.6) occurs when the WebServer Plug-in component is deployed with Intelligent Management enabled. An attacker who can impersonate a backend application server and return crafted responses can trigger code injection (CWE-94) against the plug-in, yielding full confidentiality, integrity, and availability impact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concrete prerequisites drawn from the description: (1) a target deployment of IBM WebSphere Application Server, WebSphere Application Server Liberty, or IBM i 7.3/7.4/7.5/7.6 that uses the WebSphere WebServer Plug-in, (2) the Intelligent Management feature must be explicitly enabled in the plug-in configuration - default plug-in deployments without Intelligent Management are not affected, and (3) the attacker must achieve a network position that lets them impersonate one of the configured backend WebSphere application servers to the plug-in (typically meaning ARP/DNS/IP spoofing on the internal app-tier network, or otherwise hijacking the backend response channel). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals diverge sharply: NVD CVSS 3.1 is 9.8 (AV:N/AC:L/PR:N/UI:N, C/I/A all High), yet EPSS exploitation probability is only 0.38% (30th percentile) and CISA SSVC reports Exploitation=none and Automatable=no with Technical Impact=total. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has gained a foothold on the internal network segment between the web tier and WebSphere backends (for example via a compromised internal host or an SSRF primitive in another app) spoofs the IP/port of a registered WAS backend server and waits for the plug-in to send a request. They reply with a crafted Intelligent Management response containing the malicious payload that triggers CWE-94 code injection in the plug-in process, achieving code execution inside the front-end HTTP server (or crashing it for denial of service). … |
| Remediation | Patch available per vendor advisory - apply the fixes referenced in IBM Support note https://www.ibm.com/support/pages/node/7277344 for the affected IBM i 7.3 / 7.4 / 7.5 / 7.6 releases and the corresponding WebSphere Application Server and Liberty WebServer Plug-in builds (the EUVD entry indicates IBM i 7.6 must be moved past 1.8.4); exact build numbers should be taken from IBM's advisory rather than this analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all IBM WebSphere Application Server deployments (IBM i 7.3-7.6 and WAS/Liberty) with WebServer Plug-in and Intelligent Management enabled. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38286
GHSA-m4cj-h36g-cxjg