The vulnerability resides in IBM WebSphere Extreme Scale 8.6.1.* where about 50 generated CORBA stub classes in ogclient.jar call ORB.string_to_object() on an attacker‑controlled IOR string during Java deserialization. This allows any unfiltered ObjectInputStream sink in the WAS environment to perform an outbound IIOP server side request forgery (SSRF) to a host chosen by the attacker. When combined with a known flaw in IBM ORB’s getUserException class instantiation (WAS‑26), the SSRF can be leveraged to execute arbitrary code on the JVM handling the deserialization, resulting in remote code execution. The weakness is identified as CWE‑918.

IBM WebSphere Extreme Scale products 8.6.1.0 through 8.6.1.6 are affected when the transport protocol OBJECT REQUEST BROKER (ORB) is used. Versions newer than 8.6.1.x, specifically 8.6.2.* and later, have removed ORB support entirely. The issue does not apply to deployments that use the XIO transport protocol.

The CVSS score of 6 indicates moderate severity, and the EPSS score is not available, so the real‑world exploitation probability is uncertain. Based on the description, the likely attack vector is an attacker‑controlled IOR string supplied during Java deserialization in a system that uses ORB transport. The vulnerability can be exploited by influencing data that is deserialized by the JVM, without requiring a separate network attack surface. Because the attack can lead to remote code execution, the impact on confidentiality, integrity, and availability is high. The absence of a KEV listing suggests it has not yet been widely exploited, but the vulnerability remains a serious risk that warrants immediate remediation.