Skip to main content

IBM WebSphere Application Server EUVDEUVD-2026-33735

| CVE-2026-9311 CRITICAL
Code Injection (CWE-94)
2026-06-01 ibm GHSA-gfh5-5q87-hr66
9.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.0 CRITICAL
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 19:21 vuln.today

DescriptionCVE.org

IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to remote code execution caused by the bypass of security controls.

AnalysisAI

Remote code execution in IBM WebSphere Application Server 9.0 and 8.5 allows network-based attackers to bypass security controls and execute arbitrary code on the application server. The flaw carries a CVSS 9.0 critical rating with a scope-changed impact (S:C) and requires no authentication, though high attack complexity (AC:H) suggests specific timing or environmental conditions must be met. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Technical ContextAI

WebSphere Application Server is IBM's enterprise Java EE/Jakarta EE runtime used to host mission-critical web applications, often deployed as a backend tier behind reverse proxies and integrated with IBM HTTP Server, MQ, and Db2. The CPE string cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:*:*:*:* indicates the entire product family across patch levels of the 9.0 and 8.5 branches is in scope until the IBM fix is applied. CWE-94 (Improper Control of Generation of Code, i.e., Code Injection) at the root cause means untrusted input reaches a code-generation or deserialization-style sink - historically in WebSphere this class has manifested in Java object deserialization, JSP/EL evaluation, and management-channel handlers - letting an attacker influence JVM-level execution rather than merely the application logic.

RemediationAI

Apply the patch available per IBM's vendor advisory at https://www.ibm.com/support/pages/node/7274733, which lists the interim fixes and recommended fixpack levels for the 9.0 and 8.5 streams; exact fix versions should be taken directly from that bulletin as they were not enumerated in the intelligence feed. Until patching is complete, restrict network exposure of WebSphere admin ports (default 9043/9060/8880) and the SOAP/IIOP connector ports to trusted management subnets only, place internet-facing WAS nodes behind a WAF with rules that block known Java deserialization gadget patterns and oversized serialized payloads, and verify that the Java 2 Security Manager and channel framework custom properties recommended in IBM's hardening guide are enabled - accepting the trade-off that Security Manager can break applications relying on unrestricted reflection and that strict deserialization filters may reject legitimate but poorly-typed client traffic. Rotate any LTPA keys and administrative credentials after patching in case pre-patch exploitation occurred.

Share

EUVD-2026-33735 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy