PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-6020 IBM CVE debrief

CVE-2016-6020 describes an open redirect weakness in IBM Sterling B2B Integrator Standard Edition that could be used in phishing-style attacks. A remote attacker could lure a victim to a specially crafted website and cause the victim’s browser to be redirected to a malicious site while displaying a trusted-looking URL path, increasing the chance of credential theft or other follow-on abuse. NVD assigns a medium CVSS 6.1 score, and the issue is classified as CWE-601 (URL Redirection to Untrusted Site).

Vendor
IBM
Product
CVE-2016-6020
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-01
Original CVE updated
2026-05-13
Advisory published
2017-02-01
Advisory updated
2026-05-13

Who should care

Organizations running IBM Sterling B2B Integrator, especially Standard Edition deployments that expose redirect or URL-handling flows to users over the web. Security teams should care because the weakness is remotely reachable and requires only user interaction, making it suitable for phishing and trust-spoofing campaigns.

Technical summary

NVD describes the issue as an open redirect vulnerability in IBM Sterling B2B Integrator Standard Edition. The CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network reachability, no privileges required, and user interaction required. The affected CPE entries in NVD include IBM Sterling B2B Integrator versions 5.2, 5.2.1, 5.2.2, 5.2.4, 5.2.4.1, 5.2.4.2, 5.2.5, and 5.2.6.

Defensive priority

Medium. The weakness is not a direct code-execution issue, but it is internet-reachable, does not require authentication, and can support phishing and trust abuse. Prioritize if the product is exposed to end users or external partners.

Recommended defensive actions

  • Review IBM’s vendor advisory and apply the vendor-recommended patch or update for affected Sterling B2B Integrator deployments.
  • Inventory all IBM Sterling B2B Integrator instances and confirm whether any listed vulnerable versions are in use.
  • Audit redirect, login, and callback-style endpoints for untrusted destination handling and remove or constrain open redirects where possible.
  • Add server-side validation and allowlisting for any required redirect targets so users cannot be sent to arbitrary external domains.
  • Monitor for suspicious links or user-reported phishing that leverages trusted IBM-hosted URLs or branded redirect flows.
  • If immediate remediation is not possible, reduce exposure by limiting external access to affected web interfaces and warning users about unexpected redirect behavior.

Evidence notes

This debrief is based on the supplied NVD record and the referenced IBM PSIRT advisory link. The NVD record states the vulnerability is an open redirect that can be used for phishing, maps it to CWE-601, provides the CVSS v3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, and lists affected IBM Sterling B2B Integrator CPEs. The IBM advisory reference and SecurityFocus entry are present in the supplied corpus, but no additional unsupported remediation details were inferred.

Official resources

CVE published on 2017-02-01T20:59:01.660Z. The supplied NVD record was later modified on 2026-05-13T00:24:29.033Z; this debrief uses the CVE published date as the disclosure anchor.