IBM WebSphere Application Server versions 8.5 and 9.0 are vulnerable to remote code execution caused by a bypass of security controls. The vulnerability is classified as CWE‑94, an input injection weakness, and can lead to complete loss of confidentiality, integrity, and availability. The description indicates that remote code execution is possible, but it does not specify the privilege level at which the code would run – that is an inferred potential.

The affected platforms are IBM WebSphere Application Server 9.0 and 8.5. For 9.0, the problem exists in versions from 9.0.0.0 through 9.0.5.28; for 8.5 it exists from 8.5.0.0 through 8.5.5.29. IBM recommends applying the interim fix PH71453 or upgrading to fix packs 9.0.5.29 or later for 9.0, and 8.5.5.30 or later for 8.5.

The CVSS score is 9, indicating a high severity level. EPSS data is not available, so the exact likelihood of exploitation is unknown but the risk is considered significant due to the remote code execution capability. The vulnerability is not listed in the CISA KEV catalog, but the lack of a KEV listing does not diminish the threat. Based on the description, it is inferred that the attack vector may involve network‑exposed WebSphere interfaces, where an attacker could send specially crafted requests to trigger code execution. The impact is immediate and severe, so any exposed instance should be patched without delay.