PatchSiren cyber security CVE debrief
CVE-2016-5964 IBM CVE debrief
CVE-2016-5964 describes a weak account lockout control in IBM Security Privileged Identity Manager Virtual Appliance version 2.0.2. Because the lockout setting was inadequate, a remote attacker could repeatedly guess credentials and increase the chance of successful account compromise. NVD rates the issue Critical with a 9.8 CVSS v3.0 score, reflecting network accessibility and the potential for full confidentiality, integrity, and availability impact.
- Vendor
- IBM
- Product
- CVE-2016-5964
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-01
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-01
- Advisory updated
- 2026-05-13
Who should care
Administrators and security teams responsible for IBM Security Privileged Identity Manager Virtual Appliance 2.0.2, especially anyone exposing authentication services to untrusted networks. Identity and access management operators should treat any authentication-hardening weakness as high priority because it can be used to compromise privileged accounts.
Technical summary
NVD maps the weakness to CWE-284 (Improper Access Control) and lists the affected CPE as IBM Security Privileged Identity Manager version 2.0.2. The CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating the issue can be exploited over the network without privileges or user interaction and may lead to complete compromise once credentials are brute-forced. The record also includes an IBM PSIRT vendor advisory/patch reference.
Defensive priority
Critical. Authentication weaknesses that permit brute-force attempts against privileged identity systems can quickly become account takeover events. The combination of network reachability, no required privileges, and high impact makes this a top-priority remediation item for any exposed deployment.
Recommended defensive actions
- Confirm whether IBM Security Privileged Identity Manager Virtual Appliance 2.0.2 is in use anywhere in the environment.
- Review the IBM PSIRT advisory and apply the vendor patch or upgrade guidance referenced for this issue.
- Restrict exposure of authentication endpoints to trusted networks and administrative access paths only.
- Verify that account lockout, rate limiting, and related authentication controls are configured to enforce strong anti-brute-force protection.
- Monitor authentication logs for repeated failed login attempts and investigate any anomalous password-guessing activity.
- If the product is retired or no longer supported, plan replacement or isolation to reduce account compromise risk.
Evidence notes
The debrief is based on the supplied NVD record and its referenced IBM and SecurityFocus links. The source data identifies IBM Security Privileged Identity Manager Virtual Appliance 2.0.2 as vulnerable, describes the issue as an inadequate account lockout setting enabling remote brute-force credential attacks, and assigns CVSS v3.0 9.8 with CWE-284. No additional exploit details are used.
Official resources
-
CVE-2016-5964 CVE record
CVE.org
-
CVE-2016-5964 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Public CVE record published by NVD on 2017-02-01 and later modified on 2026-05-13. This debrief uses the published CVE timeline provided in the source data and does not infer a separate disclosure date.