HIGH 8.8

CVE-2026-7770: Remote Code Execution in IBM i Access Client Solutions 1.1.5.0–1.1.9.12

IBM i Access Client Solutions (ACS) versions 1.1.5.0 through 1.1.9.12 contain a remote code execution vulnerability when the software is configured to receive requests from IBM i Navigator. An authenticated attacker can exploit this flaw to execute arbitrary code on the affected system, potentially compromising the entire environment. This is a serious vulnerability affecting a core IBM i administration tool.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-74
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

IBM i Access Family 1.1.5.0 through 1.1.9.12 IBM i Access Client Solutions (ACS) is vulnerable to remote code execution when configured to listen for requests from IBM i Navigator.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from improper input validation (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component) in ACS when it listens for IBM i Navigator requests. The network-accessible listener does not properly sanitize or validate incoming data, allowing authenticated users to inject malicious commands that execute with the privileges of the ACS process. The low attack complexity and lack of user interaction requirements make this particularly concerning in enterprise environments where ACS is typically deployed across multiple systems.

Business impact

Organizations running IBM i environments that rely on ACS for remote administration face significant risk. Successful exploitation could lead to unauthorized access to sensitive IBM i systems, data theft, system manipulation, or lateral movement within the infrastructure. Given that ACS is often deployed on administrator workstations or centralized management systems, compromise could affect multiple IBM i partitions and business-critical workloads. Recovery may require extensive forensic investigation and system rebuilds.

Affected systems

IBM i Access Client Solutions (ACS) versions 1.1.5.0 through 1.1.9.12 are vulnerable when configured to listen for IBM i Navigator requests. Organizations should identify all systems running these versions, particularly those used for administrative access to production IBM i environments. The vulnerability requires the listening configuration to be active, so systems with ACS installed but not configured as a navigation listener may have reduced but not eliminated risk depending on default settings.

Exploitability

This vulnerability requires authenticated access (CVSS PR:L), meaning the attacker must have valid credentials or network access within an authorized session. However, the network-accessible nature of the listener (AV:N), combined with low attack complexity (AC:L) and no user interaction requirement (UI:N), means exploitation is straightforward once an attacker gains initial authentication. The high integrity and availability impact scores (I:H/A:H) reflect the ability to execute arbitrary code and disrupt system operations.

Remediation

Organizations should immediately patch ACS to a version beyond 1.1.9.12. Verify the specific patched version number against IBM's security advisory and testing in a non-production environment first. Interim mitigations include restricting network access to the ACS listener through firewall rules, limiting which systems can communicate with ACS, enforcing strong authentication controls, and disabling the IBM i Navigator listener functionality if not actively required. Monitor for unauthorized access attempts to ACS administrative interfaces.

Patch guidance

Consult IBM's official security advisory for CVE-2026-7770 to confirm the minimum patched version. Deploy patches in a controlled manner: test in staging environments first, prioritize production and administrative systems, and verify functionality post-update. If immediate patching is not feasible due to operational constraints, implement network segmentation and access controls as temporary protective measures while planning the upgrade window.

Detection guidance

Monitor network traffic to and from systems running ACS, particularly looking for unusual connection patterns or payloads to the IBM i Navigator listener port. Review ACS logs and IBM i system logs for evidence of unexpected command execution, especially commands originating from ACS processes. Check for configuration changes to ACS listening parameters. Endpoint detection and response (EDR) solutions should flag suspicious process execution chains originating from ACS or its listener component. Query your asset inventory to locate all ACS installations and determine which are actively configured as listeners.

Why prioritize this

This vulnerability merits immediate attention due to the combination of high CVSS score (8.8), broad impact scope (confidentiality, integrity, and availability all affected), and the central role ACS plays in IBM i administration. While authentication is required, the low complexity of exploitation and the network-accessible attack vector mean threat actors with initial access can quickly escalate privileges. The vulnerability is not yet on the CISA KEV list, but organizations should not rely on this as an indication of lower risk; early patching is advised.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH severity) reflects a critical combination of factors: network accessibility allows remote exploitation, low attack complexity makes it easy to execute, and the ability to achieve high-impact compromise (code execution with full system permissions) justifies the elevated score. The requirement for authenticated access (PR:L) prevents a higher score, but in practice, initial compromise via phishing or lateral movement can provide the necessary credentials, making this a significant escalation path.

Frequently asked questions

Do we need to patch immediately if we use ACS but don't configure it as a listener for IBM i Navigator?

You should prioritize patching but may have a slightly extended window compared to systems actively using the listener feature. However, verify your configuration to confirm the listener is truly disabled. Default settings may enable it automatically, and the attack surface remains reduced but present if the vulnerable code path is loaded. Treat this as urgent rather than deferrable.

What's the difference between this vulnerability and typical remote code execution bugs?

This particular vulnerability requires prior authentication, which is less severe than unauthenticated RCE. However, it's still serious because ACS is typically accessed by administrators who may have weak password policies, share credentials, or be targeted by phishing. Additionally, if an attacker gains access to one part of your IBM i environment, they can use this to move laterally through ACS to other systems.

Can we temporarily work around this without patching?

Yes, you can implement network segmentation to restrict which systems can reach the ACS listener, enforce multi-factor authentication for ACS access, and disable the IBM i Navigator listener if it's not essential to operations. However, these are temporary measures only—patching should be scheduled as soon as feasible, as workarounds introduce operational friction and remain incomplete mitigations.

Is this vulnerability actively being exploited in the wild?

As of the current date, this vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, meaning widespread active exploitation has not been publicly confirmed. However, organizations should not interpret this as low risk. The vulnerability is relatively recent, and sophisticated threat actors targeting IBM i environments will likely develop exploits quickly. Assume active exploitation is possible and patch accordingly.

This analysis is provided for informational purposes and should not be construed as legal or compliance advice. Organizations are responsible for assessing their own risk and implementing appropriate mitigations based on their environment, risk tolerance, and business requirements. Patch version numbers and availability should be verified against IBM's official security advisory before deployment. SEC.co makes no warranty regarding the completeness or accuracy of affected product lists and recommends consulting vendor documentation for definitive guidance. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).