CVE-2026-7770 - Vulnerability Details

- IBM i Access Client Solutions (ACS) is vulnerable to remote code execution when configured to listen for requests from IBM i Navigator

Description

IBM i Access Family 1.1.5.0 through 1.1.9.12 IBM i Access Client Solutions (ACS) is vulnerable to remote code execution when configured to listen for requests from IBM i Navigator.

Published: 2026-06-01

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in IBM i Access Client Solutions versions 1.1.5.0 through 1.1.9.12 permits an attacker who can send requests to the ACS listener configured for IBM i Navigator to execute arbitrary code on the affected host. The flaw arises from improper handling of input, identified as CWE‑74, and if exploited, gives the attacker full system control, compromising confidentiality, integrity, and availability.

Affected Systems

IBM i Access Family products, specifically IBM i Access Client Solutions (ACS) running on IBM i, are affected for versions 1.1.5.0 up to and including 1.1.9.12. The vulnerability does not apply to newer releases beyond 1.1.9.12.

Risk and Exploitability

With a CVSS base score of 8.8, the vulnerability is considered high severity. EPSS data is not available, so current exploitation probability cannot be quantified, and the issue is not listed in CISA’s KEV catalog. The likely attack vector is a remote client, such as IBM i Navigator, that can connect to the ACS listener and send specially crafted requests, enabling an attacker to attain arbitrary code execution on the host.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

IBM

i Access Family

affected

Version	Status	Constraints
`1.1.5.0`	affected	≤ 1.1.9.12

No data.

Vendor Product Confidence Versions

Ibm

I Access Family

100%

Version	Status	Scheme	Platform
`[1.1.5.0,1.1.9.12]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

The issue can be fixed by upgrading to version 1.1.9.13 or later. See https://www.ibm.com/mysupport/s/fix-information?legacy=SJ09731 7.5SJ09729 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ09729 7.4SJ09730 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ09730 7.3SJ09732 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ09732

OpenCVE Recommended Actions

Upgrade IBM i Access Client Solutions to version 1.1.9.13 or later using the fix information links provided by IBM.
If upgrading immediately is not possible, disable or restrict the ACS listener that accepts requests from IBM i Navigator, limiting connections to a trusted subnet or authorized IP range.
Verify that authentication and authorization controls are correctly enforced on ACS communications so that only authenticated users can initiate requests, mitigating opportunities to exploit the flaw.
Monitor ACS logs for unexpected or malformed requests that could indicate attempts to exploit the vulnerability.

Generated by OpenCVE AI on June 1, 2026 at 20:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00439.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://www.ibm.com/support/pages/node/7274214

History

Tue, 02 Jun 2026 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 01 Jun 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		IBM i Access Family 1.1.5.0 through 1.1.9.12 IBM i Access Client Solutions (ACS) is vulnerable to remote code execution when configured to listen for requests from IBM i Navigator.
Title		IBM i Access Client Solutions (ACS) is vulnerable to remote code execution when configured to listen for requests from IBM i Navigator
First Time appeared		Ibm Ibm i Access Family
Weaknesses		CWE-74
CPEs		cpe:2.3:a:ibm:i_access_family:1.1.5.0:::::::* cpe:2.3:a:ibm:i_access_family:1.1.9.12:::::::*
Vendors & Products		Ibm Ibm i Access Family
References		https://www.ibm.com/support/pages/node/7274214
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Ibm I Access Family

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2026-06-01T17:45:00.983Z

Updated: 2026-06-02T12:44:52.036Z

Reserved: 2026-05-04T14:12:38.595Z

Link: CVE-2026-7770

Vulnrichment

Updated: 2026-06-02T12:44:48.482Z

NVD

Status : Awaiting Analysis

Published: 2026-06-01T19:16:54.773

Modified: 2026-06-02T14:01:26.667

Link: CVE-2026-7770

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-02T20:53:05Z

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object