IBM

This rule detects unusual child process executions originating from web server processes on Linux systems, which attackers may use to maintain persistence on a compromised system by exploiting web server vulnerabilities.

Identifies suspicious command executions via a web server on Linux systems, which may suggest a vulnerability and remote shell access.

Multiple vulnerabilities in IBM Business Automation Workflow can be exploited by an attacker to bypass security measures, conduct a denial of service attack, disclose information, manipulate files, and conduct a cross-site scripting attack.

Multiple vulnerabilities in IBM App Connect Enterprise could allow an attacker to bypass security measures, manipulate data, disclose sensitive information, cause a denial-of-service condition, or perform other unspecified attacks.

A remote, authenticated attacker can exploit multiple vulnerabilities in IBM DB2 to perform a denial of service attack, potentially disrupting database services.

IBM Aspera High-Speed Transfer Endpoint and Server versions 3.7.4 through 4.4.7 Fix Pack 1 are vulnerable to a denial-of-service (DoS) attack where an unauthenticated user can crash the asperahttpd service.

IBM Aspera High-Speed Transfer Endpoint and Server 3.7.4 through 4.4.7 Fix Pack 1 are vulnerable to a buffer overflow in the asperahttpd component, potentially allowing an authenticated user to execute arbitrary code.

IBM Langflow OSS versions 1.0.0 through 1.9.0 are vulnerable to a denial-of-service (DoS) attack due to uncontrolled resource consumption as tracked by CVE-2026-7528.

IBM Operations Analytics - Log Analysis and IBM SmartCloud Analytics - Log Analysis use default passwords from the manufacturing process, potentially allowing attackers to bypass authentication.

IBM Controller versions 11.0.1, 11.1.0, 11.1.1, and 11.1.2 are vulnerable to hard-coded credentials (CVE-2026-5065), potentially allowing unauthorized access and control of the application.

IBM Netezza Performance Server Replication Services versions 3.0.2.0 through 3.0.5.0 allows an attacker with low-privileged access to escalate their privileges to root, leading to complete system compromise.

IBM InfoSphere Optim Test Data Fabrication versions 1.0.0 through 1.0.2.7 are susceptible to a path traversal vulnerability (CVE-2026-3366), allowing a remote attacker to send a specially crafted URL request containing 'dot dot' sequences (/../) to view arbitrary files on the system.

IBM Db2 versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 are vulnerable to a denial-of-service (DoS) attack via a specially crafted query when autonomous transactions are enabled, potentially leading to service disruption.

IBM QRadar 7.5.0 through 7.5.0 UP15 Interim Fix 002 is vulnerable to CVE-2024-56462, enabling a privileged user to upload a malicious backup archive that, upon restoration, leads to unauthorized access to the underlying operating system.

IBM Aspera High-Speed Transfer Endpoint and Server are vulnerable to a buffer overflow in the asperahttpd component, potentially leading to denial of service, authentication bypass, or remote code execution.

IBM Langflow OSS versions 1.0.0 through 1.9.1 are vulnerable to remote code execution (CVE-2026-7524) due to improper validation of symbolic links during archive extraction, potentially allowing an attacker to execute arbitrary code on the system.

Multiple vulnerabilities in IBM DB2 allow a remote, authenticated, or local attacker to disclose information, bypass security measures, or cause a denial of service.

IBM Engineering Lifecycle Management 7.0.3 through Interim Fix 021, 7.1.0 through Interim Fix 009, and 7.2.0 through Interim Fix 001 could allow an attacker with administrative privileges to execute remote code due to an exposed method that is not properly restricted, potentially leading to complete system compromise.

IBM Engineering Lifecycle Management versions 7.0.3 through Interim Fix 021, 7.1.0 through Interim Fix 009, and 7.2.0 through Interim Fix 001 are vulnerable to an unauthenticated remote attacker who can update server property files, leading to unauthorized access to the application.

IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 are vulnerable to XML external entity injection (XXE), allowing an authenticated attacker to expose sensitive information or consume memory resources.

IBM HTTP Server 8.5 and 9.0 are vulnerable to a heap-based buffer overflow, allowing a privileged, authenticated user to execute arbitrary code or cause a denial of service.

IBM WebSphere Application Server and WebSphere Liberty versions 8.5 and 9.0 are vulnerable to denial of service and potential remote code execution due to improper input validation as described in CVE-2026-9170.

IBM HTTP Server 8.5 and 9.0 is vulnerable to a denial of service (DoS) in configurations where an attacker possesses write access to server configuration files, as tracked by CVE-2026-8856.

IBM HTTP Server 8.5 and 9.0 are vulnerable to remote code execution and denial of service in configurations utilizing TLS mutual authentication (client authentication).

IBM HTTP Server 8.5 and 9.0 are vulnerable to a denial-of-service (DoS) attack due to a flaw in the optional `mod_mem_cache` module that can be triggered remotely.

IBM HTTP Server versions 8.5 and 9.0 are susceptible to an invalid pointer dereference, potentially allowing a privileged, authenticated user to expose sensitive information or cause a denial of service.

IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5 and 9.0 are vulnerable to HTTP request smuggling due to inconsistent interpretation of HTTP requests, potentially leading to unauthorized access and data manipulation.

IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty are vulnerable to remote code execution in the Web Server Plug-ins, through a specially crafted request (CVE-2026-8633).

A remote, anonymous attacker can exploit multiple vulnerabilities in IBM App Connect Enterprise to execute arbitrary program code, manipulate data, conduct cross-site scripting attacks, disclose confidential information, or cause a denial-of-service condition.

Attackers are leveraging indirect prompt injection against AI agents with access to private data, untrusted content, and external communication channels to steal sensitive information by embedding malicious instructions in content processed by the agent.

Multiple vulnerabilities in IBM DB2 Big SQL could allow an attacker to perform a denial of service attack and execute arbitrary code.

An authenticated remote attacker can exploit a vulnerability in IBM WebSphere Application Server Liberty to execute arbitrary program code on the target system.

Multiple vulnerabilities in IBM SPSS can be exploited by an attacker to perform cross-site scripting (XSS) attacks, denial of service attacks, and to manipulate files.

IBM Turbonomic prometurbo agent versions 8.16.0 through 8.17.6 grants excessive cluster-wide permissions, including unrestricted read access to all secrets, allowing a compromised operator or service account to exfiltrate credentials, escalate privileges, and achieve full cluster compromise.

IBM Langflow Desktop versions 1.0.0 through 1.8.4 are vulnerable to remote command execution, allowing an attacker to execute arbitrary commands with the privileges of the Langflow process, potentially leading to sensitive data exposure and lateral movement.

IBM Langflow Desktop versions 1.0.0 through 1.8.4 are vulnerable to an indirect object reference (IDOR) vulnerability (CVE-2026-4503), allowing unauthenticated users to view other users' images due to a user-controlled key.

IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.4 are susceptible to identity spoofing when applications are deployed without proper authentication and authorization configurations, potentially leading to unauthorized access and privilege escalation.

An unauthenticated user can execute arbitrary commands with normal user privileges on vulnerable IBM Total Storage Service Console (TSSC) / TS4500 IMC versions due to improper validation of user-supplied input, as identified by CVE-2026-5935.

Adversaries may execute processes from unusual default Windows directories to masquerade malware and evade defenses by blending in with trusted paths, making malicious activity harder to detect.