IBM WebSphere Application Server Vulnerability Enables Arbitrary Code Execution

IBM has disclosed a critical security vulnerability in its WebSphere Application Server that could allow remote attackers to execute arbitrary code on affected systems.

The vulnerability, designated as CVE-2025-36038, was initially published on June 25, 2025, with a corrected CVE identifier issued the same day.

The newly identified security vulnerability affects IBM WebSphere Application Server through a deserialization of untrusted data vulnerability, classified under CWE-502.

Security researchers have assigned this vulnerability a CVSS base score of 9, indicating a critical severity level that demands immediate attention from system administrators and security teams.

The vulnerability exploits weaknesses in how the application server processes serialized objects, potentially allowing malicious actors to execute arbitrary code remotely.

The CVSS vector (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) reveals that while the attack complexity is high, it requires no privileges or user interaction, can be exploited over the network, and has high impact on confidentiality, integrity, and availability of affected systems.

This type of deserialization vulnerability has become increasingly concerning in enterprise environments, as it can provide attackers with significant control over targeted systems.

The remote nature of the exploit makes it particularly dangerous, as attackers do not need physical access to compromised infrastructure.

Affected Systems

The vulnerability impacts two major versions of IBM WebSphere Application Server currently in widespread enterprise use.

Version 9.0 installations from 9.0.0.0 through 9.0.5.24 are confirmed vulnerable, along with Version 8.5 systems running releases 8.5.0.0 through 8.5.5.27.

These versions represent a substantial portion of IBM’s WebSphere Application Server deployments across enterprise environments worldwide.

The vulnerability specifically targets the server’s object deserialization mechanisms, where specially crafted sequences of serialized objects can trigger unintended code execution with system-level privileges.

The attack vector requires sophisticated knowledge of Java serialization protocols and the specific implementation details within WebSphere Application Server.

However, once developed, such exploits can be deployed remotely against vulnerable installations, making this a significant concern for organizations running affected versions in production environments.

Remediation Steps

IBM has released comprehensive remediation guidance through APAR PH66674, emphasizing the urgency of applying available fixes.

For Version 9.0 installations, administrators can either upgrade to minimal fix pack levels and apply the interim fix, or wait for Fix Pack 9.0.5.25, scheduled for release in the third quarter of 2025.

Similarly, Version 8.5 users should upgrade to required fix pack levels before applying the interim fix addressing PH66674, or plan for Fix Pack 8.5.5.28, also targeted for third-quarter 2025 availability.

IBM has confirmed that additional interim fixes may become available through their standard download channels.

Notably, IBM has identified no workarounds or mitigations for this vulnerability, making the application of patches the only viable protection strategy.

This absence of alternative protective measures underscores the critical nature of the vulnerability and the importance of prompt remediation efforts.

Organizations using affected WebSphere Application Server versions should prioritize patch deployment and consider implementing additional network security controls to limit exposure during the patching process.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.