Impact
The WebSphere Web Server Plug‑in component is vulnerable to remote code execution and denial of service when an attacker impersonates the application server and sends crafted responses to the plug‑in. This flaw allows the attacker to run arbitrary code on the IBM i system and disrupt the availability of the affected services.
Affected Systems
IBM i releases 7.3, 7.4, 7.5 and 7.6, together with IBM WebSphere Application Server and IBM WebSphere Application Server Liberty, are affected. The official fix is distributed as PTF 7.6SJ10122 for release 7.6, PTF 7.5SJ10121 for release 7.5, SJ10120 for release 7.4 and PTF 7.3SJ10119 for release 7.3. Users of unsupported or older versions are strongly advised to upgrade to a supported, patched version of the product.
Risk and Exploitability
The CVSS score of 7.5 indicates a high severity. The EPSS score of 0.0026 (0.26%) signals a very low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog, implying no documented exploits to date. The attack is believed to be remotely attainable through network access to the WebSphere Web Server Plug‑in, where an attacker can impersonate the application server. Because the flaw permits arbitrary code execution, the risk to confidentiality, integrity and availability remains considerable if exploited.
OpenCVE Enrichment