01 · The Real Story
Like needing a badge, the right hallway, and a fire alarm pull just to empty one wing
IBM says CVE-2026-4410 lets a remote attacker send a specially crafted request that drives memory consumption and causes a denial of service. The affected ranges are broad on paper: WebSphere Liberty 19.0.0.7 through 26.0.0.5 when the sipServlet-1.1 feature is enabled, plus traditional WebSphere 9.0.0.0 through 9.0.5.27 and 8.5.0.0 through 8.5.5.29. For Liberty, the vulnerable path is explicitly tied to an optional SIP feature, not the default web runtime.
paragraph 2: IBM's MEDIUM 4.8 is fair in lab terms, but in enterprise reality this trends lower. The CVSS itself already bakes in heavy friction: adjacent network, high attack complexity, and low privileges required. Add the lack of KEV, lack of public exploitation evidence, a tiny EPSS 0.00044, and the Liberty-specific requirement for sipServlet-1.1, and this becomes a nuisance-DoS issue for a narrow subset of deployments rather than a fleet-wide fire drill.
"This is a finicky, low-likelihood DoS: post-foothold conditions, limited reachability, and no exploitation signal."
02 · The Attack Path
3 steps from start to impact.
STEP 01
Land in the right place
The attacker first needs adjacent network reachability to the affected WebSphere service and, per IBM's CVSS, low privileges. In practice that usually means an internal foothold, a partner-connected segment, or access from a trusted application tier rather than the open internet.
Conditions required:
- Access to the same network zone or a trusted adjacent segment
- A valid low-privileged identity or equivalent authenticated path
- The targeted WebSphere service is reachable from that position
Where this breaks in practice:
- This is not unauthenticated internet RCE; it starts after some access is already gained
- Segmentation, NGFW policy, and private app tiers often block lateral reachability
- Many organizations do not expose SIP or WebSphere management paths broadly
Detection/coverage: Exposure management tools can spot reachable WebSphere services, but they will not prove exploitability from the attacker's network position.
STEP 02
Hit the vulnerable request path
The attacker then needs to send the specially crafted request that triggers abnormal memory growth. For Liberty, IBM explicitly ties impact to servers with
sipServlet-1.1 enabled, so a protocol generator such as sipp or a custom SIP client is the likely weaponized path there; for traditional WebSphere, the exact request shape is not public in IBM's bulletin.Conditions required:
- For Liberty,
sipServlet-1.1is enabled inserver.xml - The relevant endpoint and protocol handler are enabled and bound
- The attacker can generate the malformed or high-cost request pattern
Where this breaks in practice:
- No public PoC or exploit repo was found during this review
- High attack complexity means the trigger is probably sensitive to request structure and timing
- If the SIP feature is absent on Liberty, that branch is not affected
Detection/coverage: Version-based plugins such as Nessus plugin 315540 detect candidate systems, but Tenable notes the check relies on self-reported version numbers, not exploit validation.
STEP 03
Sustain memory pressure long enough to matter
Successful exploitation is availability-only: the process consumes memory until the JVM slows, throws OOM conditions, or the service becomes unstable. The attacker typically needs repeated requests or enough persistence to push the service past resource guardrails.
Conditions required:
- The target has sufficient request acceptance to accumulate memory pressure
- No upstream rate control or protocol-aware throttling cuts the flow
- Operations do not detect and recycle the workload before impact
Where this breaks in practice:
- Heap sizing, process limits, and SBC or proxy controls can cap blast radius
- App teams often notice JVM heap pressure before total outage on monitored tiers
- Impact is service degradation or outage, not code execution or data theft
Detection/coverage: JVM heap telemetry, OOM logs, SIP transaction spikes, and edge rate anomalies are the practical signals; network IDS coverage is likely weak without a public signature.
03 · Intelligence Metadata
The supporting signals.
| In-the-wild status | No public exploitation evidence found during this review, and the CVE is not in CISA KEV. |
|---|---|
| Proof-of-concept availability | No public PoC located in vendor references or common public reporting tied to this CVE as of 2026-05-30. |
| EPSS | 0.00044 from the user-provided intel block, which is extremely low and consistent with limited attacker interest. |
| KEV status | Not KEV-listed. No CISA due date applies because it is absent from the Known Exploited Vulnerabilities Catalog. |
| CVSS vector and what it really means | CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H = adjacent network + high complexity + low privileges + availability only. That's a lot of prerequisites for a non-code-exec outcome. |
| Affected versions | Liberty 19.0.0.7-26.0.0.5 when sipServlet-1.1 is enabled; traditional WAS 9.0.0.0-9.0.5.27 and 8.5.0.0-8.5.5.29. |
| Fixed versions | Liberty 26.0.0.6+, WAS 9.0.5.28+, WAS 8.5.5.30+, or apply interim fixes PH70807 / PH70616 as IBM directs. |
| Exposure reality | For Liberty, IBM documents that SIP support requires explicitly enabling sipServlet-1.1 and configuring sipEndpoint ports; default SIP ports are 5060/5061. That is materially narrower than generic HTTP-exposed Liberty estates. |
| Scanner coverage | Tenable plugin 315540 covers this issue, but it is version-based only and explicitly states Nessus has not tested exploitation. |
| Disclosure and source | Published 2026-05-27 in IBM bulletin 7273424. IBM does not publicly credit an external reporter in the advisory. |
04 · The Call
noisgate verdict.
Final Verdict
↓ DOWNGRADED to LOW (3.2/10)
The decisive factor is attacker position: this requires adjacent network access plus low privileges, which is already post-foothold or at least post-exposure filtering in most enterprises. Combine that with availability-only impact, no known exploitation, and Liberty's optional sipServlet-1.1 dependency, and this does not justify urgent fleet-wide handling.
HIGH Vendor-asserted affected/fixed version ranges
MEDIUM Real-world exploitability downgrade based on required attacker position
MEDIUM Liberty exposure narrowing from optional SIP feature enablement
Why this verdict
- Adjacent + authenticated access is the whole story: the vendor vector requires
AV:AandPR:L, which implies the attacker is already on a trusted segment or has already crossed a control boundary. - Liberty is only affected when
sipServlet-1.1is enabled: that optional feature sharply reduces exposed population compared with a generic Liberty install. - Availability-only blast radius: there is no confidentiality or integrity impact here, just resource exhaustion and service instability.
- Exploit signal is weak: no KEV listing, no public exploitation evidence found, no public PoC located, and EPSS is 0.00044.
- Modern controls add friction: segmentation, NGFW policy, SIP-aware edge devices, rate controls, and JVM monitoring all tend to break or at least shorten the attack chain.
Why not higher?
If this were unauthenticated remote over broadly internet-exposed HTTP paths, the score would climb fast. It is not. The need for adjacent reachability, valid privileges, high-complexity request crafting, and the absence of exploitation evidence are all strong downward pressure.
Why not lower?
I am not calling this IGNORE because a successful trigger can still knock over a production application tier, and the affected version ranges in traditional WebSphere are broad. In a voice or SIP-heavy environment, a targeted availability hit against a business service can still hurt even without data theft or code execution.
05 · Compensating Control
What to do — in priority order.
- Limit reachability — Restrict access to WebSphere service ports to only required peers, especially any SIP-facing ports such as 5060/5061 on Liberty. For a LOW verdict there is no SLA; do this in the next normal network-policy cycle, prioritizing systems that are externally reachable or shared across trust zones.
- Disable unused SIP support — If Liberty does not need SIP, remove
sipServlet-1.1fromserver.xmland redeploy under standard change control. For a LOW verdict there is no SLA; treat this as backlog hygiene and clean it up in the next application maintenance window. - Throttle abusive request patterns — Apply rate limits or protocol-aware controls at reverse proxies, SIP SBCs, or upstream load balancers to cut off repeated malformed traffic before it reaches the JVM. For a LOW verdict there is no SLA; stage during routine edge-policy maintenance.
- Watch heap and restart behavior — Alert on abnormal heap growth, repeated GC pressure, OOM events, and service recycle loops on affected WebSphere JVMs. For a LOW verdict there is no SLA; add detections during the next monitoring rules review so operations sees service abuse quickly.
What doesn't work
MFAdoes not meaningfully reduce risk if the vulnerable path is a protocol endpoint already reachable from a trusted segment.- Endpoint AV alone will not stop a crafted protocol request from consuming JVM memory before the service degrades.
- Routine restarts are recovery, not mitigation; they do nothing to remove the trigger condition.
06 · Verification
Crowdsourced verification payload.
Run this on the target WebSphere/Liberty host or from a management runner with filesystem access to the install root. Invoke it with python3 check_cve_2026_4410.py --install-root /opt/IBM/WebSphere/AppServer for traditional WAS, or python3 check_cve_2026_4410.py --install-root /opt/ibm/wlp --server-xml /opt/ibm/wlp/usr/servers/defaultServer/server.xml for Liberty; read-only access is usually enough, but execution rights for productInfo / versionInfo help accuracy.
#!/usr/bin/env python3
# CVE-2026-4410 verification helper
# Outputs exactly one of: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 1=vulnerable, 0=patched/not affected, 2=unknown
import argparse
import os
import platform
import re
import subprocess
import sys
from pathlib import Path
def parse_ver(v):
try:
return tuple(int(x) for x in v.strip().split('.'))
except Exception:
return None
def cmp_ver(a, b):
la = list(a)
lb = list(b)
while len(la) < len(lb):
la.append(0)
while len(lb) < len(la):
lb.append(0)
return (tuple(la) > tuple(lb)) - (tuple(la) < tuple(lb))
def run_cmd(cmd):
try:
p = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, text=True, timeout=30)
return p.returncode, p.stdout
except Exception:
return None, ''
def find_version_in_text(text):
patterns = [
r'\b(\d+\.\d+\.\d+\.\d+)\b',
r'Version\s*[=:]?\s*(\d+\.\d+\.\d+\.\d+)',
r'\b(\d+\.\d+\.\d+)\b'
]
for pat in patterns:
m = re.search(pat, text, re.IGNORECASE)
if m:
return m.group(1)
return None
def detect_liberty(install_root):
return (install_root / 'bin' / 'productInfo').exists() or (install_root / 'bin' / 'productInfo.bat').exists() or install_root.name.lower() == 'wlp'
def get_liberty_version(install_root):
candidates = [install_root / 'bin' / 'productInfo', install_root / 'bin' / 'productInfo.bat']
for c in candidates:
if c.exists():
cmd = [str(c), 'version']
if c.suffix.lower() == '.bat':
cmd = ['cmd', '/c'] + cmd
rc, out = run_cmd(cmd)
v = find_version_in_text(out)
if v:
return v
for rel in [Path('lib/versions/openliberty.properties'), Path('lib/versions/WebSphereApplicationServer.properties')]:
p = install_root / rel
if p.exists():
try:
data = p.read_text(errors='ignore')
m = re.search(r'\bversion\s*[=:]\s*(\d+\.\d+\.\d+\.\d+)\b', data, re.IGNORECASE)
if m:
return m.group(1)
except Exception:
pass
return None
def get_traditional_version(install_root):
candidates = [install_root / 'bin' / 'versionInfo.sh', install_root / 'bin' / 'versionInfo.bat']
for c in candidates:
if c.exists():
cmd = [str(c)]
if c.suffix.lower() == '.bat':
cmd = ['cmd', '/c'] + cmd
rc, out = run_cmd(cmd)
v = find_version_in_text(out)
if v:
return v
return None
def find_server_xmls(install_root, explicit_server_xml=None):
results = []
if explicit_server_xml:
p = Path(explicit_server_xml)
if p.exists():
results.append(p)
return results
for base in [install_root / 'usr' / 'servers', install_root / 'usrServers', install_root / 'servers']:
if base.exists():
for p in base.rglob('server.xml'):
results.append(p)
return results
def liberty_sip_enabled(server_xmls):
if not server_xmls:
return None
for p in server_xmls:
try:
data = p.read_text(errors='ignore')
if 'sipServlet-1.1' in data:
return True
except Exception:
continue
return False
def main():
ap = argparse.ArgumentParser()
ap.add_argument('--install-root', required=True, help='WebSphere/Liberty install root')
ap.add_argument('--server-xml', help='Liberty server.xml path (optional but recommended for Liberty)')
args = ap.parse_args()
root = Path(args.install_root)
if not root.exists():
print('UNKNOWN')
sys.exit(2)
if detect_liberty(root):
version = get_liberty_version(root)
if not version:
print('UNKNOWN')
sys.exit(2)
pv = parse_ver(version)
if not pv:
print('UNKNOWN')
sys.exit(2)
xmls = find_server_xmls(root, args.server_xml)
sip = liberty_sip_enabled(xmls)
if sip is None:
print('UNKNOWN')
sys.exit(2)
if sip is False:
print('PATCHED')
sys.exit(0)
lower = parse_ver('19.0.0.7')
upper = parse_ver('26.0.0.5')
fixed = parse_ver('26.0.0.6')
if cmp_ver(pv, fixed) >= 0:
print('PATCHED')
sys.exit(0)
if cmp_ver(pv, lower) >= 0 and cmp_ver(pv, upper) <= 0:
print('VULNERABLE')
sys.exit(1)
print('PATCHED')
sys.exit(0)
version = get_traditional_version(root)
if not version:
print('UNKNOWN')
sys.exit(2)
pv = parse_ver(version)
if not pv:
print('UNKNOWN')
sys.exit(2)
if len(pv) >= 2 and pv[0] == 9:
if cmp_ver(pv, parse_ver('9.0.5.28')) >= 0:
print('PATCHED')
sys.exit(0)
if cmp_ver(pv, parse_ver('9.0.0.0')) >= 0 and cmp_ver(pv, parse_ver('9.0.5.27')) <= 0:
print('VULNERABLE')
sys.exit(1)
print('UNKNOWN')
sys.exit(2)
if len(pv) >= 2 and pv[0] == 8 and pv[1] == 5:
if cmp_ver(pv, parse_ver('8.5.5.30')) >= 0:
print('PATCHED')
sys.exit(0)
if cmp_ver(pv, parse_ver('8.5.0.0')) >= 0 and cmp_ver(pv, parse_ver('8.5.5.29')) <= 0:
print('VULNERABLE')
sys.exit(1)
print('UNKNOWN')
sys.exit(2)
print('UNKNOWN')
sys.exit(2)
if __name__ == '__main__':
main()
07 · Bottom Line
If you remember one thing.
TL;DR
Monday morning, scope first: identify traditional WebSphere 8.5/9.0 instances and Liberty servers in 19.0.0.7-26.0.0.5 that actually have
sipServlet-1.1 enabled, then confirm which of those are reachable from partner, voice, or internal lateral-movement segments. Because this lands LOW, the noisgate mitigation SLA is no SLA and the noisgate remediation SLA is also no SLA—treat it as backlog hygiene, not an emergency patch event. Put network restriction and SIP-feature cleanup into the next normal change cycle, and roll 26.0.0.6 / 9.0.5.28 / 8.5.5.30 or the interim fixes in your next planned WebSphere maintenance window.Sources
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.