PatchSiren cyber security CVE debrief
CVE-2016-6092 IBM CVE debrief
CVE-2016-6092 describes a cleartext credential storage issue in IBM Key Lifecycle Manager products. According to the NVD record, affected versions include IBM Tivoli Key Lifecycle Manager 2.0.1.x and IBM Security Key Lifecycle Manager 2.5.x and 2.6.x. Because the credentials can be read by a local user, the main risk is unauthorized disclosure of sensitive authentication data, which can be reused to access protected systems or services.
- Vendor
- IBM
- Product
- CVE-2016-6092
- CVSS
- MEDIUM 6.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-07
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-07
- Advisory updated
- 2026-05-13
Who should care
IBM Key Lifecycle Manager administrators, endpoint and server teams with local user access on affected systems, and security teams responsible for credential protection and patch tracking.
Technical summary
NVD lists the weakness as CWE-200 and assigns CVSS 3.0 vector AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating a locally accessible information disclosure with high confidentiality impact and no integrity or availability impact. The issue is not remote code execution; it is exposure of stored credentials in clear text that a local user can read. The NVD CPE criteria enumerate affected IBM Tivoli Key Lifecycle Manager 2.0.1 through 2.0.1.8 and IBM Security Key Lifecycle Manager 2.5.0.0 through 2.5.0.7 and 2.6.0.0 through 2.6.0.2.
Defensive priority
Medium. The vulnerability requires local access, but exposed credentials can create broader follow-on risk if an attacker or unauthorized local account can read them.
Recommended defensive actions
- Apply IBM's remediation or upgrade guidance referenced in the vendor advisory linked from the NVD record.
- Review affected hosts for locally readable files, configuration stores, or logs that may contain credentials in clear text.
- Restrict local access on systems running Key Lifecycle Manager to trusted administrators only.
- Rotate any credentials that may have been exposed if the affected storage location is confirmed or suspected to have been accessible.
- Validate that backups, exports, and operational artifacts do not preserve cleartext secrets from the affected product versions.
Evidence notes
Source evidence is limited to the official NVD record and the IBM PSIRT advisory reference included there. The NVD description explicitly states that IBM Tivoli Key Lifecycle Manager 2.0.1, 2.5, and 2.6 store user credentials in plain clear text readable by a local user. NVD classifies the issue as CWE-200 and provides the CVSS 3.0 vector AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The CPE criteria in the record enumerate affected Tivoli Key Lifecycle Manager 2.0.1.x and Security Key Lifecycle Manager 2.5.x/2.6.x versions. No exploit details are included here.
Official resources
-
CVE-2016-6092 CVE record
CVE.org
-
CVE-2016-6092 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
CVE published 2017-02-07; NVD record was last modified 2026-05-13. The issue is documented in official sources and is not marked as KEV.