IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially crafted sequence of serialized objects.
Fixes

Solution

For IBM WebSphere Application Server traditional: For V9.0.0.0 through 9.0.5.24: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH66674 --OR-- · Apply Fix Pack 9.0.5.25 or later (targeted availability 3Q2025). For V8.5.0.0 through 8.5.5.27: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH66674 --OR-- · Apply Fix Pack 8.5.5.28 or later (targeted availability 3Q2025). Additional interim fixes may be available and linked off the interim fix download page.


Workaround

No workaround given by the vendor.

History

Fri, 18 Jul 2025 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Hp
Hp hp-ux
Ibm aix
Ibm i
Ibm z\/os
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Oracle
Oracle solaris
CPEs cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:*:*:*:*
cpe:2.3:o:hp:hp-ux:-:*:*:*:*:*:*:*
cpe:2.3:o:ibm:aix:-:*:*:*:*:*:*:*
cpe:2.3:o:ibm:i:-:*:*:*:*:*:*:*
cpe:2.3:o:ibm:z\/os:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
cpe:2.3:o:oracle:solaris:-:*:*:*:*:*:*:*
Vendors & Products Hp
Hp hp-ux
Ibm aix
Ibm i
Ibm z\/os
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Oracle
Oracle solaris

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00244}

epss

{'score': 0.00171}


Thu, 26 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 25 Jun 2025 20:45:00 +0000

Type Values Removed Values Added
Description IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially crafted sequence of serialized objects.
Title IBM WebSphere Application Server code execution
First Time appeared Ibm
Ibm websphere Application Server
Weaknesses CWE-502
CPEs cpe:2.3:a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:9.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm websphere Application Server
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2025-08-26T14:51:51.996Z

Reserved: 2025-04-15T21:16:09.685Z

Link: CVE-2025-36038

cve-icon Vulnrichment

Updated: 2025-06-26T14:19:43.241Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-25T21:15:20.447

Modified: 2025-07-18T18:11:33.440

Link: CVE-2025-36038

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.