IBM WebSphere Application Server versions 9.0 and 8.5 contain a critical vulnerability that allows potential remote code execution. The flaw is caused by deserialization of untrusted data via JAX-WS endpoints with WS-Security. This vulnerability affects enterprise application servers and could allow attackers to execute arbitrary code remotely. The issue is related to unsafe deserialization practices in web service security implementations. Organizations using affected WebSphere versions should prioritize patching or implementing mitigations.