Cyber Resilience

CVE-2015-7450

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 02 January 2016

Published
02 January 2016
Modified
21 April 2026
KEV Added
10 January 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9327 99.8th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2015-7450 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Ibm Tivoli Common Reporting. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2015-7450 is a deserialization vulnerability (CWE-502) affecting serialized-object interfaces in multiple IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products. The flaw stems from unsafe handling of Java serialized objects that leverage the InvokerTransformer class in the Apache Commons Collections library, enabling remote code execution when untrusted data is processed.

Remote attackers can exploit the issue over the network without authentication or user interaction by submitting a crafted serialized Java object. Successful exploitation grants arbitrary command execution with impacts equivalent to full confidentiality, integrity, and availability compromise, reflected in the CVSS 9.8 base score.

IBM has published multiple security advisories detailing affected products and recommended mitigations, available at the referenced support documents including swg21970575, swg21971342, swg21971376, swg21971733, and swg21971758.

EU & UK References

Vulnerability details

Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the InvokerTransformer class in the Apache Commons Collections library.

CWE(s)
KEV Date Added
10 January 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ibm
sterling b2b integrator
5.2
ibm
sterling integrator
5.1
ibm
tivoli common reporting
2.1, 2.1.1, 2.1.1.2, 3.1, 3.1.0.1
ibm
watson content analytics
3.0 — 3.0.0.6 · 3.5 — 3.5.0.3
ibm
watson explorer analytical components
11.0 · 10.0 — 10.0.0.2
ibm
watson explorer annotation administration console
11.0 · 10.0 — 10.0.0.2
ibm
websphere application server
7.0.0.0, 8.0.0.0, 8.5, 8.5.0.0, 8.5.5.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks the attack by validating or rejecting untrusted serialized Java objects before they reach the InvokerTransformer deserialization path.

prevent

Requires prompt application of vendor patches that remove or safely replace the vulnerable Apache Commons Collections code in affected IBM products.

prevent

Restricts network exposure of the serialized-object interfaces so that unauthenticated remote attackers cannot reach them.

References