Introduction
Privilege escalation bugs in identity management platforms can undermine an entire organization's security posture. CVE-2025-36356 allows locally authenticated users to gain root access on IBM Security Verify Access and IBM Verify Identity Access, putting critical authentication and authorization infrastructure at risk.
IBM Security Verify Access is a widely used identity and access management solution for large enterprises. It delivers authentication, authorization, and policy management across complex environments. The product is deployed globally by banks, Fortune 500 companies, and government agencies, making vulnerabilities in this platform especially impactful.
Technical Information
CVE-2025-36356 is a privilege escalation vulnerability rooted in improper privilege management (CWE-250) within IBM Security Verify Access and IBM Verify Identity Access. The flaw affects both appliance and containerized deployments, specifically:
- IBM Security Verify Access 10.0.0.0 through 10.0.9.0
- IBM Security Verify Access 11.0.0.0 through 11.0.1.0
- Corresponding Docker/container images
The vulnerability arises because certain processes or operations within the product execute with root or system-level privileges even when such elevated access is not required. This design oversight violates the principle of least privilege and creates an opportunity for locally authenticated users to escalate their privileges. By exploiting these overprivileged operations, an attacker with local access can obtain root-level control over the affected system. This can lead to full compromise of authentication policies, user databases, and potentially downstream systems that rely on the platform for access control.
No public code snippets or proof of concept have been released for this vulnerability. The issue is classified under CWE-250: Execution with Unnecessary Privileges.
Patch Information
IBM has released updates to address several security vulnerabilities in IBM Security Verify Access and IBM Verify Identity Access products. To mitigate these vulnerabilities, users should update their installations to the latest versions as follows:
-
IBM Security Verify Access (Container):
- Obtain the latest version of the container by executing:
Replacedocker pull icr.io/isva/verify-access:[tag][tag]with the latest published version, which can be confirmed here.
- Obtain the latest version of the container by executing:
-
IBM Verify Identity Access (Container):
- Obtain the latest version of the container by executing:
Replacedocker pull icr.io/ivia/verify-access:[tag][tag]with the latest published version, which can be confirmed here.
- Obtain the latest version of the container by executing:
-
IBM Security Verify Access (Appliance):
- Update to version 10.0.9.0-IF3.
-
IBM Verify Identity Access (Appliance):
- Update to version 11.0.1.0-IF1.
IBM strongly recommends that customers update their products at the earliest convenience to ensure system security and integrity.
Patch source: https://www.ibm.com/support/pages/node/7247215
Affected Systems and Versions
- IBM Security Verify Access versions 10.0.0.0 through 10.0.9.0 (appliance and container)
- IBM Security Verify Access versions 11.0.0.0 through 11.0.1.0 (appliance and container)
- IBM Verify Identity Access versions matching the above ranges
- Both traditional appliance and Docker/container deployments are affected
Vendor Security History
IBM Security Verify Access has experienced several privilege escalation and authentication bypass vulnerabilities in recent years. Notable related CVEs include:
- CVE-2025-36354 (privilege escalation)
- CVE-2025-36355 (privilege escalation)
- A set of 32 vulnerabilities disclosed by Pierre Kim in 2024, covering remote code execution, authentication bypass, and local privilege escalation
IBM's Product Security Incident Response Team (PSIRT) manages vulnerability disclosure and patch releases. The vendor typically provides timely advisories and fixes, but the frequency and variety of recent issues reflect the complexity of the product and the ongoing security challenges in this space.
