SEPM is using D:\production\Symantec\tomcat\instances\sepm-api\webapps\sepm.war/WEB-INF/lib/spring-core-5.x.x.jar and this file is generating CVE alerts in some vulnerability scanners.

Any SEPM with version higher than 14.x

Based on the NVD, this CVE is related to java deserialization of untrusted data https://nvd.nist.gov/vuln/detail/cve-2016-1000027

SEPM is not affected by CVE-2016-1000027 because it does not load/deserialize untrusted data, hence no further actions are required to address this CVE.