External risk intelligence

IBM i WebSphere Intelligent Management Remote Code Execution and Denial of Service

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-9072

The vulnerability affects the WebSphere WebServer Plug-in, which is commonly deployed at the edge of network architectures to route traffic from public-facing web servers to backend application servers. Because it acts as an interface between the internet and application services, it is commonly reachable in internet-facing configurations.

Code Injection

Ibm I

7.3 to 7.6

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in IBM i and WebSphere Application Server components that use Intelligent Management with the WebSphere WebServer Plug-in. This issue could allow an unauthorized attacker to execute arbitrary code or disrupt service by impersonating backend servers and sending malicious responses to the plug-in, potentially impacting system availability and integrity.

  • Attackers can run code or crash systems.
  • Affects critical IBM middleware, often internet-facing.
  • Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by impersonating backend servers and sending specially crafted responses to the WebSphere WebServer Plug-in. This plug-in is often exposed externally as it routes traffic from public web servers to internal application servers. Successful exploitation could allow an attacker to execute arbitrary code remotely or cause a denial of service.

  • Requires network access.
  • Crafted responses to the plug-in.
  • Remote code execution and denial of service.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, an attacker impersonating backend servers could send crafted responses to the WebSphere WebServer Plug-in, potentially leading to remote code execution and denial of service.

  • System data could be affected.
  • Exploitation could occur via crafted responses.
  • Service disruption or unauthorized code execution is possible.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability impacts IBM i and WebSphere Application Server, specifically when using Intelligent Management with the WebSphere WebServer Plug-in. The primary responsibility for addressing this issue likely falls to the platform or infrastructure teams managing these core services, in coordination with network and security teams for exposure assessment. The first practical step is to identify all instances of the affected plug-in, determine their network reachability and business criticality, and then confirm the specific asset owner to prioritize and plan remediation.

  • Platform/infrastructure teams own remediation.
  • Verify plug-in reachability and criticality.
  • Coordinate planned maintenance for fixes.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is IBM i and the WebSphere WebServer Plug-in?

IBM i is an integrated operating system designed for enterprise applications, often used in banking and logistics. The WebSphere WebServer Plug-in is a component that acts as a bridge, allowing web servers to communicate with backend application servers. It is a fundamental piece of middleware used to manage high-traffic environments where different parts of an application architecture need to exchange data reliably and efficiently.

What does CWE-94 mean in the context of CVE-2026-9072?

CWE-94 refers to Improper Control of Generation of Code, commonly known as Code Injection. In this CVE, the vulnerability allows an attacker to manipulate the data sent from a backend server to the WebSphere WebServer Plug-in. Because the plug-in does not properly validate these responses, it can be tricked into executing unauthorized commands, effectively letting the attacker run their own code on the system.

How does an attacker trigger this vulnerability?

An attacker triggers the vulnerability by impersonating a legitimate backend server to the WebSphere WebServer Plug-in. By sending a specially crafted, malicious response, the attacker exploits the plug-in's trust. Note that simply sending generic web traffic or requests to the system is not enough; the attack specifically requires crafting a response that mimics the protocol expected from a backend application server.

Why should I care about this vulnerability?

This vulnerability is critical because of where the component sits. Halo Surface Signal notes that the WebSphere WebServer Plug-in is typically positioned at the network edge to route public traffic. This means that if your instance is internet-facing, it is likely reachable by unauthorized parties who do not need prior access to your internal network to attempt the exploit.

What are the first steps to address CVE-2026-9072?

Begin by inventorying your environment to locate all instances of the WebSphere WebServer Plug-in, particularly those using Intelligent Management features. Once identified, evaluate their network reachability to determine which are internet-facing. After assessing their business criticality, coordinate with your infrastructure and security teams to prioritize these assets for maintenance or configuration updates as provided by the vendor.

References