PatchSiren cyber security CVE debrief

CVE-2016-3128 Blackberry CVE debrief

CVE-2016-3128 is a spoofing vulnerability in the core of BlackBerry Enterprise Server (BES) 12 through 12.5.2. According to the CVE record, a remote attacker could use information tied to a legitimately enrolled device to enroll an illegitimate device, access device parameters for the BES, or send false information to the BES. NVD lists the issue as CVSS 3.0 8.2 (HIGH) with network attack vector, no privileges, and no user interaction.

Vendor: Blackberry
Product: CVE-2016-3128
CVSS: HIGH 8.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-13
Original CVE updated: 2026-05-13
Advisory published: 2017-01-13
Advisory updated: 2026-05-13

Who should care

Organizations operating BlackBerry Enterprise Server 12.x deployments, especially environments still running BES 12.0.0 through 12.5.2, should treat this as relevant because it affects device enrollment and trust relationships in the management plane.

Technical summary

NVD maps the vulnerability to BlackBerry Enterprise Server versions 12.0.0, 12.0.1, 12.1.0, 12.2.0, 12.2.1, 12.3.0, 12.3.1, 12.4.0, 12.4.1, 12.5.0a, 12.5.1, and 12.5.2. The weakness is classified as CWE-254. The CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N, indicating a network-reachable issue with potentially high integrity impact and limited confidentiality impact.

Defensive priority

High for any active BES 12.x deployment that still manages devices or enrollment workflows. The issue directly affects trust in device identity and administrative data flow, which can have downstream operational and security consequences.

Recommended defensive actions

Inventory all BlackBerry Enterprise Server 12.x instances and confirm whether any affected versions from 12.0.0 through 12.5.2 are in use.
Review the BlackBerry vendor advisory referenced by NVD for mitigation or remediation guidance.
Restrict exposure of BES management and enrollment interfaces to trusted administrative networks where possible.
Audit enrolled devices and enrollment records for anomalies that could indicate spoofed or illegitimate device enrollment.
If a vulnerable version is present, prioritize vendor-recommended remediation and verify after changes that enrollment and device-parameter workflows behave as expected.

Evidence notes

The debrief is based only on the supplied CVE record, the NVD metadata, and the referenced BlackBerry advisory link listed in the source corpus. The CVE description explicitly identifies a spoofing issue in the core of BES 12 through 12.5.2 and the risk of illegitimate device enrollment, device-parameter access, and false information submission. NVD provides the affected version list, CVSS vector, and CWE-254 classification.

Official resources

CVE-2016-3128 CVE record
CVE.org
CVE-2016-3128 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory
Source reference
[email protected]
Source reference
[email protected]

CVE-2016-3128 was published on 2017-01-13 and later modified on 2026-05-13 in the supplied record. The dates in this debrief reflect the CVE and source timeline only.