CVE-2026-5935 IBM CVE debrief

Who should care

Organizations running IBM Total Storage Service Console or TS4500 IMC versions 9.2-9.6 for storage infrastructure management. Security teams responsible for data center and storage network security. Compliance officers tracking unauthenticated remote code execution risks in critical infrastructure.

Technical summary

The vulnerability exists in the input validation mechanisms of IBM TSSC and TS4500 IMC management consoles. Insufficient sanitization of user-supplied input allows injection of operating system commands. Because the vulnerability is exploitable without authentication, remote attackers can achieve command execution with the privileges of the service account. The affected versions span 9.2 through 9.6 for both product lines.

Defensive priority

HIGH

Recommended defensive actions

• Apply vendor patches from IBM when available per the vendor advisory
• Restrict network access to TSSC/IMC management interfaces to authorized administrative hosts only
• Monitor for anomalous command execution or unexpected processes on affected systems
• Review system logs for signs of unauthorized access or command execution
• Implement network segmentation to isolate storage management interfaces from untrusted networks

Evidence notes

The vulnerability affects IBM Total Storage Service Console (TSSC) and TS4500 IMC versions 9.2, 9.3, 9.4, 9.5, and 9.6. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) indicates network attack vector, low attack complexity, no privileges required, no user interaction, and impacts to confidentiality, integrity, and availability. The weakness is classified as CWE-78 (OS Command Injection).

Official resources