PatchSiren cyber security CVE debrief
CVE-2016-9992 IBM CVE debrief
CVE-2016-9992 is a SQL injection vulnerability in IBM Kenexa LCMS Premier on Cloud. NVD rates it High (CVSS 7.1) and maps it to CWE-89. A remote attacker with low privileges could submit crafted SQL input to read, add, modify, or delete backend database information. NVD’s vulnerable CPEs cover Kenexa LCMS Premier versions 9.0 through 9.5 and 10.0 through 10.2.
- Vendor
- IBM
- Product
- CVE-2016-9992
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-03-01
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-03-01
- Advisory updated
- 2026-05-13
Who should care
Administrators and security teams responsible for IBM Kenexa LCMS Premier on Cloud deployments, especially systems exposing application functions to authenticated users or any environment where database-integrity or confidentiality is important.
Technical summary
The issue is a classic SQL injection condition: application input is not sufficiently constrained before being incorporated into SQL queries. NVD’s CVSS vector is CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N, indicating network reachability, low attack complexity, and low privileges required. Impact is primarily database confidentiality, with integrity impact also possible; availability impact is not listed in the vector.
Defensive priority
High priority. The combination of remote reachability, low required privileges, and direct database exposure makes this a meaningful risk for any deployed instance, particularly where the application contains sensitive records.
Recommended defensive actions
- Review IBM PSIRT guidance and apply the vendor-recommended patch or mitigation from the referenced IBM advisory.
- Identify whether any Kenexa LCMS Premier on Cloud instances match the vulnerable versions listed by NVD (9.0-9.5 and 10.0-10.2).
- Prioritize remediation for environments containing sensitive employee, training, or business records in the backend database.
- Restrict access to the application to trusted users and networks while remediation is in progress.
- Validate that database queries in the affected code paths are parameterized and that input handling is hardened as part of longer-term remediation.
- After remediation, test the affected workflows to confirm the injection path is no longer reachable.
Evidence notes
All statements above are derived from the supplied NVD record and IBM vendor reference. The CVE was published on 2017-03-01 and the NVD record was last modified on 2026-05-13; that modified date is record metadata, not the vulnerability’s issue date. The NVD record references IBM support advisory uid=swg21992067 and lists vulnerable CPEs for Kenexa LCMS Premier on Cloud versions 9.0, 9.1, 9.2, 9.2.1, 9.3, 9.4, 9.5, 10.0, 10.1, and 10.2.
Official resources
-
CVE-2016-9992 CVE record
CVE.org
-
CVE-2016-9992 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Publicly disclosed vulnerability with an official CVE record and an IBM vendor advisory reference.