PatchSiren cyber security CVE debrief
CVE-2016-9010 IBM CVE debrief
CVE-2016-9010 describes a remotely exploitable click hijacking issue in IBM message broker products. A victim can be lured to a malicious website, where the attacker may hijack click actions and potentially drive further attacks. The CVE was published on 2017-02-15 and NVD lists it as Modified on 2026-05-13.
- Vendor
- IBM
- Product
- CVE-2016-9010
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-15
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-15
- Advisory updated
- 2026-05-13
Who should care
Administrators and security teams responsible for IBM WebSphere Message Broker or IBM Integration Bus deployments, especially environments where users may browse untrusted web content while working on affected systems.
Technical summary
NVD maps the issue to IBM WebSphere Message Broker 8.0 and IBM Integration Bus 9.0/10.0, while the CVE description specifically mentions IBM WebSphere Message Broker 9.0 and 10.0. The attack vector is network-based with low attack complexity and requires user interaction. The CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating an attacker can affect confidentiality and integrity at a limited level once the user clicks through the malicious web content.
Defensive priority
Medium. Treat as a standard patching priority, but move faster if the affected products are exposed in user-facing environments where web browsing or link following is common.
Recommended defensive actions
- Review IBM PSIRT advisory reference IBM Reference #1997906 for vendor guidance and patch information.
- Inventory IBM WebSphere Message Broker and IBM Integration Bus installations and compare them against the vulnerable versions listed by NVD.
- Apply vendor-recommended updates or mitigations from the IBM advisory to affected systems.
- Reduce exposure by limiting access to untrusted websites from users operating affected environments until remediation is complete.
- Validate that any security controls relying on click integrity or embedded UI interactions are not assuming protection against frame or click hijacking.
Evidence notes
Source corpus states that a remote attacker can persuade a victim to visit a malicious website and hijack click actions. NVD records the issue as CVSS 3.0 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N and lists vulnerable CPEs for IBM WebSphere Message Broker 8.0 and IBM Integration Bus 9.0/10.0. The IBM advisory reference in the corpus is http://www.ibm.com/support/docview.wss?uid=swg21997906. No fixed version numbers or patch identifiers are included in the supplied corpus.
Official resources
-
CVE-2016-9010 CVE record
CVE.org
-
CVE-2016-9010 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
Published by NVD and the CVE record on 2017-02-15; NVD marked the entry Modified on 2026-05-13. No KEV listing is present in the supplied corpus.