What is the CVSS score of CVE-2015-7450?

CVE-2015-7450 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 93.5%.

Is there a public PoC exploit available for CVE-2015-7450?

Yes, a public proof-of-concept exploit is available for CVE-2015-7450. Prioritise patching immediately. EPSS: 93.5%.

How to fix or mitigate CVE-2015-7450?

Within 24 hours: Identify and inventory all systems running Sterling B2B Integrator 5.2, Sterling Integrator 5.1, or Tivoli Common Reporting 2.1-3.1.2.1 using network scanning and asset management tools; isolate affected systems from external network access if possible. Within 7 days: Contact IBM support to obtain available patches or security updates for your specific version; implement network segmentation to restrict access to Sterling/Tivoli services to authorized IP ranges only; deploy intrusion detection rules for CVE-2015-7450 exploitation attempts (monitor for serialized Java object payloads). Within 30 days: Apply all available security updates from IBM; if patches are unavailable for your version, execute an upgrade plan to a supported product version; conduct forensic review of logs for signs of prior exploitation.

IBM Sterling B2B Integrator CVE-2015-7450

CRITICAL

Deserialization of Untrusted Data (CWE-502)

2016-01-02 psirt@us.ibm.com

Apache Java Deserialization IBM

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 21, 2026 - 15:33 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 21, 2026 - 15:22 vuln.today

cvss_changed

Analysis Generated

Mar 26, 2026 - 11:18 vuln.today

Added to CISA KEV

Oct 22, 2025 - 00:15 cisa

CISA KEV

PoC Detected

Oct 22, 2025 - 00:15 vuln.today

Public exploit code

CVE Published

Jan 02, 2016 - 21:59 nvd

CRITICAL 9.8

DescriptionNVD

Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the InvokerTransformer class in the Apache Commons Collections library.

AnalysisAI

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenticated network attackers to execute arbitrary commands by sending malicious serialized Java objects exploiting the Apache Commons Collections InvokerTransformer class. This vulnerability is confirmed actively exploited in the wild per CISA KEV, with public exploit code available (Exploit-DB 41613) and an exceptionally high EPSS score of 93.49%, indicating near-certain exploitation probability. Affected products include Sterling B2B Integrator 5.2, Sterling Integrator 5.1, and Tivoli Common Reporting versions 2.1 through 3.1.2.1.

Technical ContextAI

This vulnerability exploits unsafe Java object deserialization (CWE-502) in applications using vulnerable versions of Apache Commons Collections 3.x. The InvokerTransformer class allows attackers to construct serialized objects that, when deserialized by the application, invoke arbitrary methods through reflection. IBM products expose serialized-object interfaces (likely JMX, RMI, or HTTP endpoints accepting serialized data) without proper input validation. The CPE data identifies specific affected versions: Sterling B2B Integrator 5.2.x, Sterling Integrator 5.1.x, and Tivoli Common Reporting 2.1.x through 3.1.2.1. The root cause is the inherently dangerous design of InvokerTransformer combined with application acceptance of untrusted serialized input, enabling gadget chain construction that achieves code execution.

RemediationAI

Apply vendor-released patches immediately per IBM Security Bulletins swg21970575, swg21971342, swg21971376, swg21971758, and swg21972799, which provide specific fix versions for each affected product line (exact patched versions are documented in the individual bulletins linked in references). If immediate patching is infeasible, implement network segmentation to restrict access to serialization endpoints to trusted IP ranges only, disable or remove JMX/RMI remote access if not operationally required (note: this may break monitoring/management tools), and deploy intrusion prevention signatures targeting known Commons Collections deserialization payloads (available from major IPS vendors post-2015). Given confirmed active exploitation, workarounds provide minimal protection-prioritize emergency patching within 24-48 hours for internet-exposed instances and within one week for internal systems.

More from same product – last 7 days

CVE-2026-7524 CRITICAL Act Now

9.8 May 27

Remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.1 lets unauthenticated network attackers run arbitr

CVE-2026-8175 CRITICAL Act Now

9.8 May 27

Remote code execution and authentication bypass are possible in IBM Aspera High-Speed Transfer Server and High-Speed Tra

CVE-2026-7876 CRITICAL Act Now

9.1 May 27

Authentication bypass in IBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I) versions 1.5.1 throu

CVE-2026-5065 HIGH This Week

8.8 May 27

Hard-coded credentials in IBM Controller (versions 11.0.1, 11.1.0, 11.1.1, and 11.1.2) give attackers a static, embedded

CVE-2026-8179 HIGH This Week

8.8 May 27

Arbitrary code execution in IBM Aspera High-Speed Transfer Server and Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1)

CVE-2015-7450 vulnerability details – vuln.today

Back

IBM Sterling B2B Integrator CVE-2015-7450

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code