Listen to this Post
CVE-2026-4410 enables a remote DoS attack against IBM WebSphere Application Server and Liberty by exhausting memory resources. The vulnerability lies in how the server’s `sipServlet-1.1` feature handles specially-crafted requests, leading to uncontrolled resource consumption and, ultimately, a denial of service.
The vulnerable code exists within the `sipServlet-1.1` module, which processes Session Initiation Protocol (SIP) messages. When enabled, the server listens for requests on the SIP port (default 5060). The core issue is a failure to properly manage internal memory allocations during the parsing or handling of certain attack requests.
By sending a specifically engineered packet to the SIP port, an attacker can trigger a memory leak or cause the server to allocate an unmanageable amount of memory. The application does not properly control consumption of internal resources, and a remote attacker can exploit this vulnerability to cause the server to consume memory resources.
This resource exhaustion causes the server to become unstable or crash, disrupting all services (HTTP, HTTPS, other ports) on the instance as the JVM runs out of heap memory. Crucially, the attack does not require the `sipServlet-1.1` feature to be actively used for processing calls; the mere enabling of the feature makes the SIP port vulnerable. The CVSS base score from NIST is 7.5 HIGH, while IBM Corporation assessed it as 4.8 MEDIUM.
DailyCVE Form:
Platform: IBM WebSphere
Version: 8.5, 9.0,
Vulnerability : Uncontrolled Resource Consumption
Severity: Medium (4.8)
date: May 27, 2026
Prediction: 3rd Quarter 2026
What Undercode Say: Analytics
The following commands can help identify vulnerable versions by checking the product installation details. The Nessus plugin `websphere_7273424.nasl` can be used for automated scanning.
Check WebSphere traditional version grep "version" /opt/IBM/WebSphere/AppServer/properties/version/version.properties Check Liberty version cat /opt/ibm/wlp/usr/servers/serverName/.version.txt Check Liberty features configuration cat /opt/ibm/wlp/usr/servers/serverName/server.xml | grep sipServlet-1.1 Nessus scan command nessus -q -T html -i target_ips.txt -p websphere_7273424.nasl
Exploit:
As a Proof of Concept, the attacker first identifies if the target’s SIP port (5060) is open and the `sipServlet-1.1` feature is enabled. Next, they craft a malicious SIP `REGISTER` request (or other packets), injecting a specially malformed tag (e.g., an extremely long `Call-ID` header or invalid sequence numbers). This malformed packet is sent in a single request, not as a flood, causing the vulnerable parser to allocate all available memory in the JVM heap.
Example malformed SIP packet to trigger memory consumption printf "REGISTER sip:target SIP/2.0\r\nCall-ID: $(perl -e 'print "A" x 100000')\r\n\r\n" | nc -u target_ip 5060
Protection:
Protect your systems by verifying if the `sipServlet-1.1` feature is needed. If not, immediately disable it to eliminate the attack vector.
Disable sipServlet-1.1 in Liberty sed -i '/sipServlet-1.1/d' /opt/ibm/wlp/usr/servers/serverName/server.xml Apply the IBM Interim Fix (PH70616 or PH70807) or upgrade to 9.0.5.28, 8.5.5.30, or Liberty 26.0.0.6
Impact:
An unauthenticated remote attacker with network access to the SIP port can crash the WebSphere JVM. Successful exploitation leads to complete system unavailability for all hosted applications, resulting in a denial of service without requiring any special privileges or user interaction.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

