PatchSiren cyber security CVE debrief

CVE-2016-5966 IBM CVE debrief

CVE-2016-5966 describes a missing HTTP Strict Transport Security (HSTS) control in IBM Security Privileged Identity Manager Virtual Appliance. According to the NVD record, this weakness can expose sensitive information to a remote attacker using man-in-the-middle techniques. NVD rates the issue as CVSS 3.0 5.9 (Medium), with network attack vector and no privileges or user interaction required.

Vendor: IBM
Product: CVE-2016-5966
CVSS: MEDIUM 5.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-01
Original CVE updated: 2026-05-13
Advisory published: 2017-02-01
Advisory updated: 2026-05-13

Who should care

Organizations running IBM Security Privileged Identity Manager Virtual Appliance 2.0.2 or 2.1, especially where the appliance is reachable over untrusted networks or where users may connect over paths that could be intercepted.

Technical summary

NVD maps the vulnerability to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and lists affected CPEs for IBM Security Privileged Identity Manager 2.0.2 and 2.1. The core issue is that HTTP Strict Transport Security was not properly enabled, which can leave clients more exposed to SSL/TLS downgrade or interception scenarios and permit sensitive data disclosure if a network attacker can place themselves in the traffic path. The published CVSS vector is CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N.

Defensive priority

Medium. This is an information-disclosure risk rather than an integrity or availability issue, but it still matters where the appliance handles credentials, tokens, or other sensitive administrative data over web sessions.

Recommended defensive actions

Review the IBM vendor advisory and apply the patch or remediation guidance referenced for CVE-2016-5966.
Verify whether Security Privileged Identity Manager Virtual Appliance versions 2.0.2 or 2.1 are in use and prioritize them for remediation if so.
Confirm that HTTPS is enforced end-to-end and that HSTS is enabled on affected web-facing services where supported.
Inspect adjacent network paths and client access patterns for any exposure to interception risk until remediation is complete.
If immediate patching is not possible, restrict access to the appliance to trusted network paths and monitored management channels.

Evidence notes

The debrief is based only on the supplied NVD-derived corpus and the referenced official/vendor links. The corpus states that IBM Security Privileged Identity Manager Virtual Appliance could allow a remote attacker to obtain sensitive information because HTTP Strict Transport Security was not properly enabled. NVD lists affected versions 2.0.2 and 2.1, CWE-200, and CVSS 3.0 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N. IBM vendor advisory and SecurityFocus entries are referenced by NVD, but no additional unsupported claims are used here.

Official resources

CVE-2016-5966 CVE record
CVE.org
CVE-2016-5966 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry

CVE-2016-5966 was published in the source corpus on 2017-02-01T20:59:01.410Z, with IBM advisory references included in the NVD record. Use the published date for timing context; no later generation or review date is treated as the issue's C