CVE-2025-36038: Critical RCE Vulnerability Discovered in IBM WebSphere Application Server
Do Son 
IBM has issued a security alert regarding a high-severity vulnerability—CVE-2025-36038—affecting WebSphere Application Server versions 8.5 and 9.0. With a CVSS base score of 9.0, this flaw could allow unauthenticated remote code execution (RCE) via a maliciously crafted serialization payload, posing a serious risk to enterprise Java applications.
According to IBM’s security bulletin:
“IBM WebSphere Application Server could allow a remote attacker to execute arbitrary code on the system with a specially crafted sequence of serialized objects.”
This vulnerability opens the door to full system compromise if exploited successfully, as attackers could remotely inject and run malicious code without requiring prior authentication.
The vulnerability impacts the following WebSphere Application Server (WAS) versions:
- Version 9.0.0.0 through 9.0.5.24
- Version 8.5.0.0 through 8.5.5.27
These are widespread versions in enterprise environments, making the risk significant across industries that rely on IBM middleware for their Java EE applications.
IBM has provided detailed remediation instructions to mitigate this threat. Users are strongly urged to take immediate action.
- For Version 9.0:
- Apply Fix Pack 9.0.5.25 or later (expected availability: Q3 2025), or
- Use the appropriate interim fix for APAR PH66674
- For Version 8.5:
- Apply Fix Pack 8.5.5.28 or later (expected availability: Q3 2025), or
- Use the corresponding interim fix for PH66674
Related Posts
- CVE-2022-34165: IBM WebSphere HTTP header injection vulnerability
- Oracle plant to remove Java serialization due to security issues
- Malicious Models on Hugging Face: A New Threat to AI Development
- IBM created the world’s smallest computer
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
