CVE Alert: CVE-2025-36087 - IBM - Security Verify Access

CVE-2025-36087

HIGHNo exploitation known

IBM Security Verify Access 10.0.0 through 10.0.9, 11.0.0, IBM Verify Identity Access Container 10.0.0 through 10.0.9, and 11.0.0, under certain configurations, contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

CVSS v3.1 (8.1)

AV NETWORK · AC HIGH · PR NONE · UI NONE · S UNCHANGED

Vendor

IBM, IBM

Product

Security Verify Access, Verify Identity Access Container

Versions

10.0.0 lte 10.0.9 | 11.0.0 | 10.0.0 lte 10.0.9 | 11.0.0

CWE

CWE-798, CWE-798 Use of Hard-coded Credentials

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Published

2025-10-13T00:38:14.262Z

Updated

2025-10-13T00:38:14.262Z

cpe:2.3:a:ibm:security_verify_access:10.0.0.0:*:*:*:*:*:*:*cpe:2.3:a:ibm:security_verify_access:10.0.9.0:*:*:*:*:*:*:*cpe:2.3:a:ibm:security_verify_access:11.0.0.0:*:*:*:*:*:*:*cpe:2.3:a:ibm:security_verify_access_docker:10.0.0.0:*:*:*:*:*:*:*cpe:2.3:a:ibm:security_verify_access_docker:10.0.9.0:*:*:*:*:*:*:*cpe:2.3:a:ibm:security_verify_access_docker:11.0.0.0:*:*:*:*:*:*:*

References

https://www.ibm.com/support/pages/node/7247753

AI Summary Analysis

Risk verdict

High risk: remote, unauthenticated network access is possible in affected configurations; patch promptly to avert exploitation.

Why this matters

Hard-coded credentials enable attackers to bypass authentication and access critical components, potentially exposing data, disrupting integrity, and compromising encryption keys. If compromised, an attacker could persist, exfiltrate sensitive data, or pivot to connected systems and external components.

Most likely attack path

Exploitation is network-facing with no user interaction and no privileges required, but with high attack complexity. An attacker would need to target the affected service in the wrong configuration where credentials are embedded; successful access could then be used to authenticate inbound or outbound connections and locate cryptographic material, enabling lateral movement to trusted components.

Who is most exposed

Organisations deploying IBM Security Verify Access or the container in internet-facing, DMZ, or broadly exposed containerised estates are at greatest risk, particularly where credentials are baked into images or configs.

Detection ideas

Look for unusual outbound connections using embedded credentials or keys
Inspect configs and container images for plain-text credentials or secret material
Authentication events from unexpected IPs or geographies
Anomalous outbound access to external components or encryption endpoints
Recent builds/images containing hard-coded credentials

Mitigation and prioritisation

Apply the official fixes: 10.0.9 IF2 and 11.0.1 for the affected lines
Remove hard-coded credentials from all configurations; implement centralised secret management
Rotate or revoke embedded credentials and keys; enforce least privilege
Review and restrict inbound/outbound authentication pathways; segment management interfaces
Plan patching during a controlled change window; test in staging before prod; verify post-patch connectivity and credential handling
If KEV or EPSS indicators appear, escalate to priority 1 and accelerate remediation.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.