CVE-2025-36354
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute arbitrary commands with limited privileges on IBM Security Verify Access systems. It affects IBM Security Verify Access and IBM Security Verify Access Docker versions 10.0.0.0 through 10.0.9.0 and 11.0.0.0 through 11.0.1.0. The issue stems from improper input validation (CWE-78: OS Command Injection).
💻 Affected Systems
- IBM Security Verify Access
- IBM Security Verify Access Docker
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains initial foothold on the system, executes arbitrary commands, and potentially escalates privileges to compromise the entire system or pivot to other network resources.
Likely Case
Attackers execute commands with limited privileges to gather system information, establish persistence, or launch further attacks from the compromised host.
If Mitigated
With proper network segmentation and least privilege configurations, impact is limited to the affected service with minimal lateral movement potential.
🎯 Exploit Status
The vulnerability requires no authentication and involves command injection, making exploitation relatively straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply IBM Security Verify Access 10.0.9.1 or 11.0.1.1 or later
Vendor Advisory: https://www.ibm.com/support/pages/node/7247215
Restart Required: Yes
Instructions:
1. Download the latest fix pack from IBM Fix Central. 2. Backup current configuration. 3. Apply the fix pack following IBM installation procedures. 4. Restart the service/container. 5. Verify the patch is applied successfully.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to IBM Security Verify Access to only trusted IP addresses and networks
Use firewall rules to limit access: iptables -A INPUT -p tcp --dport <verify_access_port> -s <trusted_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport <verify_access_port> -j DROP
Container Security Hardening
linuxApply Docker security best practices to limit container capabilities
docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE --read-only --security-opt=no-new-privileges <image>
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to isolate affected systems
- Apply principle of least privilege to service accounts and monitor for suspicious command execution
🔍 How to Verify
Check if Vulnerable:
Check the installed version of IBM Security Verify Access via administrative console or command lineCheck Version:
On Linux: /opt/ibm/isva/bin/version.sh or check Docker container versionVerify Fix Applied:
Verify the version is 10.0.9.1 or higher for version 10, or 11.0.1.1 or higher for version 11📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in system logs
- Failed authentication attempts followed by command execution
- Unexpected process creation from IBM Security Verify Access service
Network Indicators:
- Unusual outbound connections from IBM Security Verify Access hosts
- Suspicious payloads in HTTP requests to Verify Access endpoints
SIEM Query:
source="ibm_verify_access" AND (event_type="command_execution" OR process_name="cmd.exe" OR process_name="/bin/sh")