PatchSiren cyber security CVE debrief
CVE-2016-2880 IBM CVE debrief
IBM QRadar 7.2 contains a local credential-protection flaw: the encryption key used to encrypt the service account password is stored in a way that a local user can obtain. NVD classifies the issue as high severity (CVSS 3.0: 7.8) and maps it to CWE-320. The vulnerable versions listed in the supplied corpus are QRadar 7.2.0 through 7.2.7. IBM’s advisory is referenced in the record, indicating vendor remediation guidance is available.
- Vendor
- IBM
- Product
- CVE-2016-2880
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-03-01
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-03-01
- Advisory updated
- 2026-05-13
Who should care
Organizations running IBM QRadar Security Information and Event Manager 7.2.0 through 7.2.7, especially environments where local shell or OS access is granted to more than a tightly controlled administrative group.
Technical summary
The vulnerability is a local information exposure affecting credential protection. According to the supplied NVD data, a local user can obtain the encryption key used to encrypt the service account password. The attack vector is local (AV:L) with low complexity and low privileges required, and the impact rating reflects potential high confidentiality, integrity, and availability consequences once the protected credential material is exposed. The record associates the flaw with CWE-320 and lists QRadar 7.2.0-7.2.7 as vulnerable.
Defensive priority
High. Because exploitation requires local access but can expose sensitive service-account protection material, it should be addressed promptly on any affected QRadar deployment that has non-admin local users or broad OS access.
Recommended defensive actions
- Confirm whether any IBM QRadar installation is running version 7.2.0 through 7.2.7.
- Apply IBM’s vendor remediation guidance from the referenced support advisory.
- Restrict local operating-system access on QRadar hosts to only essential administrators.
- Review service-account password handling and rotate affected credentials after remediation, following your change-control process.
- Audit local user access and remove unnecessary accounts or privileges on QRadar systems.
- Monitor for unexpected local logins or administrative activity on affected appliances while remediation is underway.
Evidence notes
All factual claims are drawn from the supplied NVD record and IBM PSIRT-linked advisory reference. The record states that QRadar 7.2 stores the encryption key used to encrypt the service account password and that a local user can obtain it. Vulnerable versions are enumerated in the NVD CPE criteria as 7.2.0 through 7.2.7. The CVSS vector provided in the corpus is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, and the weakness classification is CWE-320.
Official resources
-
CVE-2016-2880 CVE record
CVE.org
-
CVE-2016-2880 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
CVE published on 2017-03-01 and the supplied NVD record was last modified on 2026-05-13. The corpus does not indicate a CISA KEV listing.