External risk intelligence

IBM WebSphere Extreme Scale CORBA Stub SSRF to RCE

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-13773

WebSphere eXtreme Scale is typically deployed as part of backend caching or data grid infrastructure within enterprise environments. While it processes network requests, it is generally positioned behind application servers or internal load balancers rather than being directly exposed to the public internet by design.

Server-Side Request Forgery

Ibm Websphere Extreme Scale

8.6.1.0 to 8.6.1.6

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in IBM WebSphere Extreme Scale could allow attackers to execute malicious code by manipulating data deserialization through a server-side request forgery flaw. This issue arises when processing attacker-controlled data, potentially leading to compromised systems. The main concern is to confirm if this technology is in use and assess any exposure.

  • Flaw enables unauthorized code execution via data manipulation.
  • Matters if your organization uses this IBM data technology.
  • Confirm relevance and exposure of this IBM data technology.

Attack Path

How an attacker could exploit the issue

An attacker can initiate a journey by sending a crafted CORBA stub class to a vulnerable IBM WebSphere Extreme Scale component. This component, when processing the attacker-controlled input during Java deserialization, can be tricked into making an outbound IIOP connection to a host chosen by the attacker. If this is chained with another flaw, it can lead to remote code execution on the affected system.

  • No authentication or privileges required.
  • Vulnerable component processes attacker-controlled input.
  • Remote code execution on calling JVM.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to remotely execute code on a vulnerable Java Virtual Machine (JVM) by sending specially crafted input. This is possible when a specific method is called with an attacker-controlled string, which can be triggered through Java deserialization. When combined with another flaw, this can lead to broader system compromise.

  • JVM code execution.
  • Unfiltered deserialization sink.
  • Remote code execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

IBM WebSphere Extreme Scale environments require coordination between application owners, platform teams, and security teams to address this vulnerability. The initial practical step is to identify all instances of the affected technology, determine their reachability and business criticality, and then locate the accountable owner to plan remediation based on assessed risk.

  • Confirm asset ownership for affected instances.
  • Verify network exposure and criticality.
  • Plan remediation with the vendor.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is IBM WebSphere eXtreme Scale?

IBM WebSphere eXtreme Scale is a high-performance, elastic in-memory data grid. It is primarily used by enterprise organizations to cache data and manage distributed application states, helping backend systems scale by reducing the load on primary databases.

What does CWE-918 mean in the context of CVE-2026-13773?

CWE-918 represents Server-Side Request Forgery (SSRF). In this specific vulnerability, the software is tricked into sending network requests to locations chosen by an attacker. Because the system performs these requests on behalf of the attacker, it can reach internal resources that would otherwise be blocked.

How is this vulnerability triggered by an attacker?

An attacker triggers this by sending a specially crafted CORBA stub class to a vulnerable component. When the software attempts to deserialize this data, it incorrectly processes the attacker's input. The bug does not trigger during normal, expected application operations, only when the system is forced to handle malicious, untrusted data strings.

Do I need to worry if my systems are not internet-facing?

According to Halo Surface Signal, this technology is typically deployed in internal backend environments rather than directly on the public internet. While this may limit immediate external reach, you should still care if an attacker has already gained a foothold inside your network, as they could then target these internal data grid components.

What is the first step to address CVE-2026-13773?

The most important first step is to perform an inventory of your environment to locate all instances of the affected software versions. Once identified, work with the team responsible for those assets to verify their network configuration and assess the potential impact to your specific business operations before planning further remediation.

References