PatchSiren cyber security CVE debrief

CVE-2016-6077 IBM CVE debrief

CVE-2016-6077 covers a command-execution issue in IBM Cognos Disclosure Management 10.2. According to the CVE/NVD metadata, a malicious attacker could execute commands as a lower-privileged user when that user opens a malicious document. The CVE was published on 2017-02-15. NVD lists affected versions from 10.2.0 through 10.2.6 and assigns a medium severity score.

Vendor: IBM
Product: CVE-2016-6077
CVSS: MEDIUM 5.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-15
Original CVE updated: 2026-05-13
Advisory published: 2017-02-15
Advisory updated: 2026-05-13

Who should care

Administrators and security teams responsible for IBM Cognos Disclosure Management 10.2 deployments, especially environments where users open externally supplied or untrusted documents.

Technical summary

NVD describes the issue as command execution requiring user interaction (UI:R) and local access conditions (AV:L), with no privileges required before interaction (PR:N). The weakness is mapped to CWE-284. The vulnerable versions listed in the source corpus are IBM Cognos Disclosure Management 10.2.0, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.5, and 10.2.6. The supplied IBM advisory reference is IBM Reference #1991584.

Defensive priority

Medium. The issue is not marked as a known exploited vulnerability in the provided data, but it can still lead to command execution when users open a malicious document, so systems that process untrusted files should be reviewed promptly.

Recommended defensive actions

Review IBM advisory reference 1991584 and apply the vendor patch or remediation guidance for affected Cognos Disclosure Management 10.2 systems.
Restrict exposure to untrusted or externally supplied documents until affected systems are updated.
Limit who can open and process documents in impacted environments, using least privilege and role separation where possible.
Monitor for suspicious document-handling activity or unexpected command execution on affected hosts.
Verify whether deployed IBM Cognos Disclosure Management versions fall within 10.2.0 through 10.2.6 and prioritize those systems for remediation.

Evidence notes

Source corpus evidence links the CVE to IBM Cognos Disclosure Management 10.2 and lists vulnerable CPEs for 10.2.0 through 10.2.6. The NVD vector is CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L, which supports a user-interaction-driven command-execution scenario with low impact on confidentiality, integrity, and availability. The IBM advisory reference in the corpus is http://www-01.ibm.com/support/docview.wss?uid=swg21991584, and a third-party advisory reference is provided via SecurityFocus BID 93829.

Official resources

CVE-2016-6077 CVE record
CVE.org
CVE-2016-6077 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry

Official CVE/NVD publication date used here is 2017-02-15. The source metadata was later modified on 2026-05-13, but that is not treated as the issue date. No KEV listing was provided in the source corpus.