Introduction
Unauthorized access to enterprise authentication infrastructure can lead to widespread compromise of sensitive systems and data. IBM Security Verify Access and IBM Verify Identity Access are widely deployed identity management solutions used by large enterprises, financial institutions, and government agencies to enforce authentication and access policies across critical applications.
IBM Security Verify Access (formerly ISAM) is a flagship identity and access management product from IBM, used by Fortune 500 companies and public sector organizations globally. It provides centralized authentication, single sign-on, and policy enforcement for web and cloud applications. The product's broad adoption and integration with sensitive environments make vulnerabilities in its core components highly impactful.
Technical Information
CVE-2025-36087 is a high-severity vulnerability (CVSS 8.1) caused by the presence of hard-coded credentials within IBM Security Verify Access 10.0.0 through 10.0.9 and 11.0.0, as well as IBM Verify Identity Access Container 10.0.0 through 10.0.9 and 11.0.0. The vulnerability is classified under CWE-798 (Use of Hard-coded Credentials).
In affected versions, the software contains static passwords or cryptographic keys that are embedded directly in application binaries or configuration files. These credentials may be used for:
- Inbound authentication to the product itself
- Outbound authentication to external components (such as LDAP, databases, or other services)
- Encryption of internal data
Attackers who gain access to the binaries, configuration files, or system memory can extract these credentials. Once obtained, the credentials can be used to bypass authentication controls, impersonate legitimate users or services, or decrypt sensitive data protected by the product. The risk is increased if the same credentials are reused across multiple installations, which is common with hard-coded values.
The vulnerability is only present under certain configurations. IBM has not publicly disclosed the exact configuration conditions that trigger the issue. No public code snippets or exploit details are available as of this writing.
Affected Systems and Versions
- IBM Security Verify Access 10.0.0 through 10.0.9
- IBM Security Verify Access 11.0.0
- IBM Verify Identity Access Container 10.0.0 through 10.0.9
- IBM Verify Identity Access Container 11.0.0
The vulnerability is only exploitable under certain (unspecified) configurations. Organizations must review their deployments and consult IBM's advisory for details.
Vendor Security History
IBM Security Verify Access has experienced multiple critical vulnerabilities related to credential management and authentication mechanisms. Notably:
- CVE-2024-49805 and CVE-2024-49806 (hard-coded credentials, CVSS 9.8)
- CVE-2024-49803 (remote command injection, CVSS 8.8)
- CVE-2024-49804 (privilege escalation, CVSS 7.8)
- Multiple authentication bypass and privilege escalation issues documented by independent researchers (Pierre Kim, 2024)
IBM typically responds with coordinated disclosures and patch releases. However, the recurrence of hard-coded credential vulnerabilities across major versions indicates ongoing challenges in secure software development and credential management processes.
References
- NVD entry for CVE-2025-36087
- IBM Security Bulletin for CVE-2025-36087
- CWE-798: Use of Hard-coded Credentials
- Pierre Kim: 32 Vulnerabilities in IBM Security Verify Access (2024)
- IBM Security Bulletin: Multiple vulnerabilities in IBM Security Verify Access Appliance (CVE-2024-49803, CVE-2024-49804, CVE-2024-49805, CVE-2024-49806)