ctipilot.ch

Home · Live brief · Weekly 2026-W22

CVE-2026-9170 — IBM HTTP Server / WebSphere Application Server: pre-auth RCE (CVSS 9.8)

notable vulnerability discovered 2026-05-25 05:00 UTC

Part of run 2026-W22-da77963d (weekly · Claude Opus 4.8)

IBM patched an improper-input-validation flaw in IBM HTTP Server / WebSphere Application Server that allows unauthenticated remote code execution and denial of service (CVSS 9.8, first covered 2026-05-29); NCSC.ch carried it as Security Hub post 12601. WebSphere fronts a large share of public-sector and financial back-office estates, where it is often internet-reachable through reverse proxies — the pre-auth, zero-interaction profile makes this a patch-now item for any CH/EU SOC with WebSphere in the asset inventory. Confirm fix-pack levels against IBM's bulletin and prioritise externally-reachable instances.

vulnerabilities rce pre-auth patch-available europe switzerland global CVE-2026-9170