Skip to main content

IBM WebSphere Application Server EUVD-2026-33737

| CVE-2026-9319 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-06-01 ibm GHSA-rqhj-2grh-m6c2
IBM RCE Deserialization
9.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.0 CRITICAL
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 19:20 vuln.today

DescriptionCVE.org

IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to potential remote code execution due to deserialization of untrusted data via JAX-WS endpoints with WS-Security.

AnalysisAI

Remote code execution in IBM WebSphere Application Server 9.0 and 8.5 arises from unsafe deserialization of untrusted data processed by JAX-WS endpoints that use WS-Security. Unauthenticated remote attackers who can reach a SOAP/JAX-WS endpoint may craft malicious serialized payloads to execute arbitrary code in the WebSphere server context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Discover exposed JAX-WS endpoint
Delivery
Identify WS-Security processing
Exploit
Craft malicious serialized gadget chain
Install
Send SOAP request with payload
C2
Trigger deserialization in WAS
Execute
Execute code as WAS process
Impact
Pivot into enterprise application data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target WebSphere Application Server 9.0 or 8.5 instance must expose a JAX-WS web service endpoint that has WS-Security enabled and is network-reachable by the attacker; the attacker does not need credentials (PR:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Risk signals are mixed but lean high-priority for exposed deployments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker reaches an internet-exposed or internally-accessible WebSphere JAX-WS endpoint that accepts WS-Security-protected SOAP messages and submits a crafted SOAP envelope embedding a malicious serialized Java object (e.g., a known Commons Collections or Spring gadget chain present on the WAS classpath). When WebSphere deserializes the payload during WS-Security processing, the gadget chain executes arbitrary commands as the WAS server identity, granting full host compromise within the application server's privilege context. …
Remediation Patch available per vendor advisory: apply the interim fix or fix pack referenced in IBM Security Bulletin https://www.ibm.com/support/pages/node/7274738 for both the 9.0 and 8.5 release streams (consult that bulletin for the exact iFix/PTF identifier matching your installed fix-pack level, as IBM did not publish a single canonical version string in the input data). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Conduct inventory of all WebSphere 9.0 and 8.5 deployments; restrict network access to JAX-WS/SOAP endpoints to internal networks only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-33737 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy