CVE-2016-9703 IBM CVE debrief

Who should care

Administrators and operators of IBM Security Identity Manager Virtual Appliance deployments, especially where workstations may be shared, unattended, or physically accessible to non-administrators.

Technical summary

The NVD description states that the appliance does not invalidate session tokens. NVD maps the issue to CWE-384 and lists affected IBM Security Identity Manager Virtual Appliance versions 7.0.0.0, 7.0.0.1, 7.0.0.2, 7.0.0.3, 7.0.1.0, 7.0.1.1, 7.0.1.2, 7.0.1.3, and 7.0.1.4. The published CVSS vector is CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, reflecting a physically reachable attack path with limited confidentiality impact.

Defensive priority

Low. The issue requires physical access and is described as confidentiality-only impact, but it still matters in shared-console or kiosk-like environments.

Recommended defensive actions

• Apply the IBM remediation referenced in the vendor advisory.
• Restrict physical access to affected workstations and consoles.
• Ensure users fully log out of sessions when leaving a workstation unattended.
• Review shared-device and kiosk policies for any environment running the affected appliance.
• Verify whether any deployed IBM Security Identity Manager Virtual Appliance instances match the affected versions listed by NVD.

Evidence notes

The summary is based on the CVE/NVD record and the IBM PSIRT vendor advisory reference. NVD marks the vulnerability as modified on 2026-05-13 and shows the CVE was published on 2017-02-01. The record includes IBM’s advisory reference and lists affected versions 7.0.0.0 through 7.0.1.4. The CVSS vector and CWE mapping were taken from the NVD metadata.

Official resources