Critical Flaw CVE-2025-36356 (CVSS 9.3) in IBM Security Verify Access Allows Root Privilege Escalation
Ddos 
IBM has released fixes for three security vulnerabilities affecting its IBM Security Verify Access and IBM Verify Identity Access products, warning that the issues could lead to privilege escalation, arbitrary command execution, and script injection. The company urges customers to apply patches immediately to prevent potential exploitation in production environments.
The first vulnerability, CVE-2025-36355, allows a locally authenticated user to execute malicious scripts from outside of the product’s control sphere. IBM notes that this issue could enable client-side code injection or unauthorized execution of external scripts. It carries a CVSS Base Score of 8.5, signifying high severity.
“IBM Security Verify Access could allow a locally authenticated user to execute malicious scripts from outside of its control sphere,” the company explains.
The second vulnerability, CVE-2025-36356, is even more severe. Rated 9.3 (Critical) on the CVSS scale, it could allow a local user to escalate privileges to root due to improper permission handling. This flaw could grant full administrative control to attackers with minimal system access.
“IBM Security Verify Access could allow a locally authenticated user to escalate their privileges to root due to execution with more privileges than required,” IBM confirms in its bulletin.
Lastly, CVE-2025-36354 affects systems exposed to unauthenticated users, enabling arbitrary command execution with lower-level privileges. This vulnerability stems from improper validation of user-supplied input, and while rated lower at 7.3, it remains a concern for externally accessible deployments.
“IBM Security Verify Access could allow an unauthenticated user to execute arbitrary commands with lower user privileges on the system due to improper validation of user supplied input,” according to IBM.
“Security vulnerabilities have been addressed in IBM Security Verify Access 10.0.9.0-IF3 and IBM Verify Identity Access 11.0.1.0-IF1,” the advisory states, emphasizing that organizations running earlier versions remain exposed until updates are applied.
Both containerized and appliance deployments are impacted. IBM lists the affected products and versions as follows:
- IBM Verify Identity Access (Docker & Appliance): Versions 11.0.0.0 – 11.0.1.0
- IBM Security Verify Access (Docker & Appliance): Versions 10.0.0.0 – 10.0.9.0-IF2
These vulnerabilities affect the platforms responsible for access control and identity verification across enterprise systems, making timely patching a critical step in maintaining network security.
IBM has issued Fix Packs 10.0.9.0-IF3 for Verify Access and 11.0.1.0-IF1 for Verify Identity Access, available through IBM Fix Central and container registries.
For container deployments, administrators can pull the latest versions directly from IBM’s registry:
Donate