What is the CVSS score of EUVD-2025-19137?

EUVD-2025-19137 has a CVSS 3.1 base score of 9.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.4%.

Which versions of Java are affected by EUVD-2025-19137?

A critical remote code execution vulnerability affects IBM WebSphere Application Server versions 8.5 and 9.0, allowing unauthenticated attackers to execute arbitrary code through malicious serialized…

How to fix or mitigate EUVD-2025-19137?

Within 24 hours: Identify all systems running WebSphere 8.5/9.0 and isolate them from untrusted networks; enable enhanced logging and monitoring for serialization activities. Within 7 days: Deploy network segmentation or WAF rules to restrict object deserialization inputs; disable remote JMX and RMI ports if not operationally critical; implement compensating controls listed below. Within 30 days: Develop upgrade or replacement timeline for affected systems; prioritize migration to patched versions (9.0.5.x or later) or alternative application servers; conduct security assessment of potentially compromised systems.

Java EUVD-2025-19137

| CVE-2025-36038 CRITICAL

Deserialization of Untrusted Data (CWE-502)

2025-06-25 psirt@us.ibm.com

Deserialization RCE IBM Java Websphere Application Server

9.0

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.0 CRITICAL

AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 23:19 euvd

EUVD-2025-19137

Analysis Generated

Mar 15, 2026 - 23:19 vuln.today

CVE Published

Jun 25, 2025 - 21:15 nvd

CRITICAL 9.0

DescriptionCVE.org

IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially crafted sequence of serialized objects.

AnalysisAI

IBM WebSphere Application Server (WAS) versions 8.5 and 9.0 are vulnerable to remote code execution through deserialization of untrusted serialized objects, allowing unauthenticated network attackers to execute arbitrary code with high confidence despite moderate attack complexity. This is a critical Java deserialization vulnerability (CWE-502) affecting enterprise application servers in widespread use; exploitation status and EPSS probability are not yet public but the CVSS 9.0 score and network-accessible attack vector indicate this is a priority concern for organizations running affected WAS versions.

Technical ContextAI

The vulnerability exploits unsafe Java object deserialization (CWE-502: Deserialization of Untrusted Data) in IBM WebSphere Application Server. Java deserialization attacks leverage gadget chains in available libraries to achieve remote code execution when an attacker can control the serialized object stream sent to the application. WAS versions 8.5 and 9.0 contain logic that deserializes objects from network input without proper validation, allowing an attacker to craft a malicious serialized payload that triggers arbitrary code execution during object reconstruction. The attack requires network access (AV:N) but has higher than trivial complexity (AC:H), likely due to the need to craft a specific gadget chain or exploit timing. This affects the core WAS runtime and potentially impacts both standalone and distributed deployments (clustered environments noted in CVSS:S:C scope change).

RemediationAI

Immediate actions: (1) Apply IBM security patch when released (monitor IBM Security Bulletin and WAS security advisories at ibm.com/support); (2) For WAS 8.5: upgrade to latest fix pack or migrate to supported WAS 9.0.5.x or newer if available after patches are released; (3) For WAS 9.0: apply interim fix or upgrade to 9.0.5.x+ (patch version TBD pending vendor release). Interim mitigations pending patch availability: (a) Network segmentation—restrict network access to WAS administrative ports and cluster communication ports to trusted networks only; (b) Disable unnecessary RMI/JMX interfaces if not required; (c) Implement Web Application Firewall (WAF) rules to block serialized object signatures in HTTP payloads (proactive, not guaranteed); (d) Monitor for unusual deserialization errors in logs. Workaround: none definitive; patch is mandatory. Vendor advisory: await IBM WebSphere Application Server security bulletin (typically at ibm.com/support/pages/security-bulletins).

More from same product – last 7 days

CVE-2026-28575 CRITICAL Act Now

10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran

CVE-2026-55773 HIGH This Week

8.8 Jun 19

Cedar policy injection in CedarJava (com.cedarpolicy:cedar-java) versions below 2.3.6, 3.4.1, and 4.9.0 allows attackers

CVE-2026-55772 HIGH This Week

8.8 Jun 19

Type confusion in CedarJava versions prior to 2.3.6, 3.4.1, and 4.9 allows authenticated remote attackers to manipulate

CVE-2026-44795 HIGH This Week

8.5 Jun 22

Remote code execution in Spinnaker's Orca and Rosco services allows authenticated users to achieve arbitrary Java class

CVE-2026-50196 HIGH This Week

7.5 Jun 17

Denial of service in Steeltoe.Discovery.Eureka client (.NET) versions prior to 4.2.0 and 3.4.0 allows a remote Eureka re

EUVD-2025-19137 vulnerability details – vuln.today

Back

Java EUVD-2025-19137

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code