IBM WebSphere Application Server and WebSphere Application Server Liberty update for Jakarta Mail

1) Command Injection

EUVDB-ID: #VU114346

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-7962

CWE-ID: CWE-77 - Command injection

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary SMTP commands on the system.

The vulnerability exists due to insufficient input validation when handling CR-LF characters in UTF-8 encoding. A remote attacker can pass specially crafted input to the application and execute arbitrary SMTP commands on the server.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM WebSphere Application Server Liberty: 17.0.0.3 - 25.0.0.11

IBM WebSphere Application Server: 8.5 - 9.0.5.26

CPE2.3

• cpe:2.3:a:ibm_corporation:ibm_websphere_application_server_liberty:17.0.0.3:*:*:*:*:*:*:*
• cpe:2.3:a:ibm_corporation:ibm_websphere_application_server_liberty:17.0.0.4:*:*:*:*:*:*:*
• cpe:2.3:a:ibm_corporation:ibm_websphere_application_server_liberty:18.0.0.0:*:*:*:*:*:*:*
• cpe:2.3:a:ibm_corporation:ibm_websphere_application_server:8.5.5.28:*:*:*:*:*:*:*
• cpe:2.3:a:ibm_corporation:ibm_websphere_application_server:9.0.5.26:*:*:*:*:*:*:*

External links

https://www.ibm.com/support/pages/node/7250200

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.