The WebSphere Web Server Plug‑in component is vulnerable to remote code execution and denial of service when an attacker impersonates the application server and sends crafted responses to the plug‑in. This flaw enables an attacker to run arbitrary code on the IBM i system and disrupt the availability of the affected services. The vulnerability is driven by improper validation of responses from the application server, effectively allowing a malicious actor to control the plug‑in’s execution path.

IBM i releases 7.3, 7.4, 7.5 and 7.6, together with IBM WebSphere Application Server and IBM WebSphere Application Server Liberty, are affected. The official fix is distributed as PTF 7.6SJ10122 for release 7.6, PTF 7.5SJ10121 for release 7.5, PTF 7.4SJ10120 for release 7.4 and PTF 7.3SJ10119 for release 7.3. Users of unsupported or older versions are strongly advised to upgrade to a supported, patched version of the product.

The CVSS score of 7.5 indicates a high severity. The EPSS score is not available, and the vulnerability is not currently listed in CISA’s KEV catalog, implying no documented exploits to date. However, the attack is believed to be remotely attainable through network access to the WebSphere Web Server Plug‑in, which can be exploited by an attacker who can impersonate the application server. Because the flaw permits arbitrary code execution, the risk to confidentiality, integrity and availability is considerable if exploited.