The vulnerability allows an attacker to send crafted responses to the WebSphere WebServer Plug‑in when Intelligent Management is enabled. By impersonating backend servers the attacker can cause the plug‑in to execute arbitrary code or trigger a denial of service. This results in remote code execution and availability loss on the IBM i platform running IBM WebSphere Application Server or Liberty. The weakness corresponds to code injection (CWE‑94) and could compromise confidentiality, integrity and availability of affected systems.

IBM i 7.6, 7.5, 7.4, and 7.3, together with IBM WebSphere Application Server and the Liberty profile that use the Intelligent Management WebServer Plug‑in component, are impacted. The applicable PTFs (SJ10122, SJ10121, SJ10120, SJ10119) target these specific platform releases. Any installation of these versions without the corresponding fix is considered vulnerable. Unsupported versions that still use the plug‑in should also be upgraded to a supported release.

The CVSS score of 8.1 indicates high severity. The EPSS score is not provided, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no confirmed exploitation in the wild yet. Nonetheless, the attack vector requires only a remote attacker who can communicate with the vulnerable plug‑in to send forged responses. Because the vulnerability can lead to remote code execution, the risk remains high for environments that expose the plug‑in to external networks.