IBM WebSphere: RCE via JAX-WS deserialization (CVSS 9.0) — CRITICAL (CVE-2026-9319)

CISO Take

IBM WebSphere Application Server 9.0 and 8.5 contain a critical deserialization vulnerability in JAX-WS endpoints protected by WS-Security, enabling unauthenticated remote code execution with full confidentiality, integrity, and availability impact scoped beyond the vulnerable component (S:C). Enterprise AI deployments frequently run on WebSphere as middleware for model-serving APIs, ML pipeline orchestration, and AI data integrations — a compromised application server hands attackers direct access to model weights, training data, inference credentials, and downstream AI microservices. Although Attack Complexity is rated High and this CVE is not yet in CISA KEV (no confirmed active exploitation), the zero-privilege-required, network-accessible attack surface on a widely deployed enterprise Java stack makes this a high-priority patch — Java deserialization gadget chains are well-tooled (ysoserial) and lower the real-world exploitation bar below AC:H alone suggests. Apply IBM's remediation per advisory 7274738 immediately and restrict JAX-WS endpoint exposure to trusted network segments as an interim control.

Sources: NVD IBM Advisory (ibm.com) ATLAS CISA KEV

What is the risk?

Critical risk for enterprises running IBM WebSphere as AI/ML application middleware. The CVSS:3.1 Scoped impact (S:C) indicates this vulnerability can break WebSphere's security boundary and affect adjacent systems — particularly dangerous in AI architectures where the application server orchestrates multiple downstream ML services and holds credentials to connected LLM APIs. Attack Complexity: High provides some natural defense, requiring an adversary to craft a precise Java deserialization gadget chain; however, public tooling (ysoserial, Burp deserialization scanner) significantly reduces this barrier for skilled attackers. No confirmed KEV listing means active exploitation is not yet observed, but IBM WebSphere is a high-value target in regulated industries (finance, healthcare, government) where AI deployments are common. Organizations with internet-facing JAX-WS endpoints are at highest residual risk.

Attack Kill Chain

Reconnaissance

Adversary scans for exposed IBM WebSphere JAX-WS SOAP endpoints, fetches WSDL files to map service structure, and confirms WS-Security is enabled on endpoints hosting AI workloads.

AML.T0006

Exploitation

Attacker sends a crafted SOAP request with a malicious serialized Java gadget chain (e.g., CommonsCollections via ysoserial) embedded in WS-Security headers; WebSphere deserializes the payload during security processing, triggering arbitrary code execution in the JVM.

AML.T0049

Persistence & Lateral Movement

Adversary establishes a reverse shell from the WebSphere JVM and pivots to connected AI infrastructure — extracting credentials from WebSphere JNDI configuration for databases, model registries, and LLM API services.

AML.T0072

AI Asset Exfiltration

Attacker exfiltrates model weights, training datasets, proprietary inference code, and API keys for connected LLM services from the compromised server and its accessible storage mounts.

AML.T0025

Reconnaissance

Adversary scans for exposed IBM WebSphere JAX-WS SOAP endpoints, fetches WSDL files to map service structure, and confirms WS-Security is enabled on endpoints hosting AI workloads.

AML.T0006

Exploitation

Attacker sends a crafted SOAP request with a malicious serialized Java gadget chain (e.g., CommonsCollections via ysoserial) embedded in WS-Security headers; WebSphere deserializes the payload during security processing, triggering arbitrary code execution in the JVM.

AML.T0049

Persistence & Lateral Movement

Adversary establishes a reverse shell from the WebSphere JVM and pivots to connected AI infrastructure — extracting credentials from WebSphere JNDI configuration for databases, model registries, and LLM API services.

AML.T0072

AI Asset Exfiltration

Attacker exfiltrates model weights, training datasets, proprietary inference code, and API keys for connected LLM services from the compromised server and its accessible storage mounts.

AML.T0025

Severity & Risk

CVSS 3.1

9.0 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 45% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC High

PR None

UI None

S Changed

C High

I High

A High

What should I do?

7 steps

Apply IBM's official security patch immediately per advisory https://www.ibm.com/support/pages/node/7274738 — prioritize internet-facing WebSphere instances hosting AI/ML workloads.
As an interim network control, restrict JAX-WS endpoint access to trusted IP ranges via WAF rules or network ACLs; block SOAP endpoints from public internet if not required.
Disable WS-Security processing on JAX-WS endpoints that do not require it.
Enable Java serialization filtering (JEP 290 / Global Serialization Filter) to block known gadget chains at the JVM level.
Monitor WebSphere access logs for anomalous SOAP message sizes, malformed WS-Security headers, unexpected JNDI lookups, or outbound connections from the JVM process indicative of reverse shell activity.
Audit all externally reachable JAX-WS endpoints; enforce authenticated access and IP allowlisting where feasible.
Rotate all credentials (API keys, database passwords, LLM service tokens) stored in WebSphere configuration if compromise is suspected.

Classification

Code Execution Supply Chain Data Extraction API Inference Framework AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0072 - Reverse Shell

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

6.1.2 - AI risk assessment

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-9319?

IBM WebSphere Application Server 9.0 and 8.5 contain a critical deserialization vulnerability in JAX-WS endpoints protected by WS-Security, enabling unauthenticated remote code execution with full confidentiality, integrity, and availability impact scoped beyond the vulnerable component (S:C). Enterprise AI deployments frequently run on WebSphere as middleware for model-serving APIs, ML pipeline orchestration, and AI data integrations — a compromised application server hands attackers direct access to model weights, training data, inference credentials, and downstream AI microservices. Although Attack Complexity is rated High and this CVE is not yet in CISA KEV (no confirmed active exploitation), the zero-privilege-required, network-accessible attack surface on a widely deployed enterprise Java stack makes this a high-priority patch — Java deserialization gadget chains are well-tooled (ysoserial) and lower the real-world exploitation bar below AC:H alone suggests. Apply IBM's remediation per advisory 7274738 immediately and restrict JAX-WS endpoint exposure to trusted network segments as an interim control.

Is CVE-2026-9319 actively exploited?

No confirmed active exploitation of CVE-2026-9319 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-9319?

1. Apply IBM's official security patch immediately per advisory https://www.ibm.com/support/pages/node/7274738 — prioritize internet-facing WebSphere instances hosting AI/ML workloads. 2. As an interim network control, restrict JAX-WS endpoint access to trusted IP ranges via WAF rules or network ACLs; block SOAP endpoints from public internet if not required. 3. Disable WS-Security processing on JAX-WS endpoints that do not require it. 4. Enable Java serialization filtering (JEP 290 / Global Serialization Filter) to block known gadget chains at the JVM level. 5. Monitor WebSphere access logs for anomalous SOAP message sizes, malformed WS-Security headers, unexpected JNDI lookups, or outbound connections from the JVM process indicative of reverse shell activity. 6. Audit all externally reachable JAX-WS endpoints; enforce authenticated access and IP allowlisting where feasible. 7. Rotate all credentials (API keys, database passwords, LLM service tokens) stored in WebSphere configuration if compromise is suspected.

What systems are affected by CVE-2026-9319?

This vulnerability affects the following AI/ML architecture patterns: enterprise AI middleware, model serving, AI API gateways, ML pipeline orchestration, Java EE AI integrations.

What is the CVSS score for CVE-2026-9319?

CVE-2026-9319 has a CVSS v3.1 base score of 9.0 (CRITICAL). The EPSS exploitation probability is 0.22%.

AI Security Impact

Affected AI Architectures

enterprise AI middlewaremodel servingAI API gatewaysML pipeline orchestrationJava EE AI integrations

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0025 Exfiltration via Cyber Means

AML.T0049 Exploit Public-Facing Application

AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: 6.1.2

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM03

Technical Details

Original Advisory

IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to potential remote code execution due to deserialization of untrusted data via JAX-WS endpoints with WS-Security.

Exploitation Scenario

An adversary in the reconnaissance phase identifies IBM WebSphere JAX-WS endpoints exposed via an enterprise AI platform's SOAP API gateway — common in regulated-sector ML deployments built on legacy Java EE stacks. Using network scanning and WSDL endpoint discovery, the attacker maps available services and confirms WS-Security is in use. The attacker then crafts a malicious SOAP request embedding a serialized Java gadget chain payload (e.g., CommonsCollections via ysoserial) within a WS-Security element. When WebSphere processes the WS-Security header for integrity validation, it deserializes the untrusted payload before completing security checks, triggering arbitrary code execution within the JVM. The attacker establishes a reverse shell with application server privileges, extracts API credentials for connected LLM services (stored in WebSphere JNDI or environment config), accesses model artifacts and training data directories on mounted storage, and pivots to adjacent AI microservices and vector databases reachable from the compromised server.