CVE-2025-36038: 
IBM WebSphere Application Server vulnerability analysis and mitigation

CVE-2025-36038 is a critical vulnerability affecting IBM WebSphere Application Server versions 8.5 and 9.0, disclosed on June 25, 2025. The vulnerability allows remote attackers to execute arbitrary code on the system through a specially crafted sequence of serialized objects. This vulnerability has been classified under CWE-502 (Deserialization of Untrusted Data) (IBM Security Bulletin, Wiz).

The vulnerability has been assigned a CVSS v3.1 base score of 9.0 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H. This scoring indicates that the vulnerability can be exploited remotely (Network), requires high attack complexity, needs no privileges, requires no user interaction, changes scope, and can result in high impacts to confidentiality, integrity, and availability (NVD, IBM Security Bulletin).

The vulnerability poses severe risks to affected systems, with potential for high impact across confidentiality, integrity, and availability. A successful exploitation could allow attackers to execute arbitrary code on the target system, potentially leading to complete system compromise (IBM Security Bulletin, SecurityOnline).

IBM recommends addressing the vulnerability by applying available interim fixes or fix packs containing the fix for APAR PH66674. For WebSphere Application Server V9.0.0.0 through 9.0.5.24, users should either upgrade to Fix Pack 9.0.5.25 or later (targeted for 3Q2025) or apply the Interim Fix for PH66674. For versions 8.5.0.0 through 8.5.5.27, users should upgrade to Fix Pack 8.5.5.28 or later (targeted for 3Q2025) or apply the Interim Fix for PH66674. No workarounds are available (IBM Security Bulletin).