PatchSiren cyber security CVE debrief

CVE-2016-8932 IBM CVE debrief

CVE-2016-8932 describes an IBM Kenexa LMS on Cloud flaw where arbitrary file upload could enable code execution on the vulnerable server. NVD rates the issue high severity (CVSS 8.8) with network access, low attack complexity, and low privileges required. The affected product versions listed by NVD are IBM Kenexa LMS 4.1, 4.2, 4.2.2, 4.2.3, 4.2.4, 5.0, 5.1, and 5.2. IBM published a vendor advisory and patch reference, and the NVD record was later modified on 2026-05-13.

Vendor: IBM
Product: CVE-2016-8932
CVSS: HIGH 8.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-01
Original CVE updated: 2026-05-13
Advisory published: 2017-02-01
Advisory updated: 2026-05-13

Who should care

IBM Kenexa LMS administrators, security teams responsible for learning management systems, and any organization running the affected IBM Kenexa LMS versions exposed to untrusted users or the network.

Technical summary

NVD maps this issue to CWE-284 and assigns CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The core risk is that insufficient access control around file upload handling could let an attacker place arbitrary files on the server and potentially execute code. The NVD CPE match lists IBM Kenexa LMS versions 4.1, 4.2, 4.2.2, 4.2.3, 4.2.4, 5.0, 5.1, and 5.2 as affected.

Defensive priority

High. The combination of network reachability, low complexity, and potential full confidentiality/integrity/availability impact makes this a priority issue for any exposed or production Kenexa LMS deployment.

Recommended defensive actions

Apply IBM’s vendor patch or follow the IBM support advisory referenced in the NVD record.
Identify every IBM Kenexa LMS instance and confirm whether it matches one of the affected versions listed by NVD.
Restrict access to upload features and administrative functions to trusted users only, using least privilege and strong authentication.
Review server-side file upload handling, storage paths, and execution permissions to ensure uploaded content cannot be executed.
Monitor logs and uploaded content for unexpected file types, anomalous uploads, or signs of post-upload execution.
If the product cannot be patched promptly, isolate the application and reduce network exposure until remediation is complete.

Evidence notes

The debrief is based on the supplied NVD record and its referenced IBM advisory. The vulnerability description states that IBM Kenexa LMS on Cloud could allow arbitrary file upload leading to arbitrary code execution. NVD lists affected CPEs for IBM Kenexa LMS versions 4.1, 4.2, 4.2.2, 4.2.3, 4.2.4, 5.0, 5.1, and 5.2, and the weakness is mapped to CWE-284. The record’s CVSS vector is CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The CVE was published on 2017-02-01 and later modified on 2026-05-13.

Official resources

CVE-2016-8932 CVE record
CVE.org
CVE-2016-8932 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry

Published by CVE on 2017-02-01T22:59:00.900Z. The NVD record was modified on 2026-05-13T00:24:29.033Z. This CVE is not marked as a KEV entry in the supplied data.