Brief Summary of Privilege Escalation in IBM Security Verify Access (CVE-2025-36356)

This post provides a brief summary of CVE-2025-36356, a critical privilege escalation vulnerability in IBM Security Verify Access and IBM Verify Identity Access. We review affected versions, technical details, and official patch guidance.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-06

Brief Summary of Privilege Escalation in IBM Security Verify Access (CVE-2025-36356)
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Privilege escalation bugs in identity management platforms can undermine an entire organization's security posture. CVE-2025-36356 allows locally authenticated users to gain root access on IBM Security Verify Access and IBM Verify Identity Access, putting critical authentication and authorization infrastructure at risk.

IBM Security Verify Access is a widely used identity and access management solution for large enterprises. It delivers authentication, authorization, and policy management across complex environments. The product is deployed globally by banks, Fortune 500 companies, and government agencies, making vulnerabilities in this platform especially impactful.

Technical Information

CVE-2025-36356 is a privilege escalation vulnerability rooted in improper privilege management (CWE-250) within IBM Security Verify Access and IBM Verify Identity Access. The flaw affects both appliance and containerized deployments, specifically:

  • IBM Security Verify Access 10.0.0.0 through 10.0.9.0
  • IBM Security Verify Access 11.0.0.0 through 11.0.1.0
  • Corresponding Docker/container images

The vulnerability arises because certain processes or operations within the product execute with root or system-level privileges even when such elevated access is not required. This design oversight violates the principle of least privilege and creates an opportunity for locally authenticated users to escalate their privileges. By exploiting these overprivileged operations, an attacker with local access can obtain root-level control over the affected system. This can lead to full compromise of authentication policies, user databases, and potentially downstream systems that rely on the platform for access control.

No public code snippets or proof of concept have been released for this vulnerability. The issue is classified under CWE-250: Execution with Unnecessary Privileges.

Patch Information

IBM has released updates to address several security vulnerabilities in IBM Security Verify Access and IBM Verify Identity Access products. To mitigate these vulnerabilities, users should update their installations to the latest versions as follows:

  • IBM Security Verify Access (Container):

    • Obtain the latest version of the container by executing:
      docker pull icr.io/isva/verify-access:[tag]
      Replace [tag] with the latest published version, which can be confirmed here.
  • IBM Verify Identity Access (Container):

    • Obtain the latest version of the container by executing:
      docker pull icr.io/ivia/verify-access:[tag]
      Replace [tag] with the latest published version, which can be confirmed here.
  • IBM Security Verify Access (Appliance):

    • Update to version 10.0.9.0-IF3.
  • IBM Verify Identity Access (Appliance):

    • Update to version 11.0.1.0-IF1.

IBM strongly recommends that customers update their products at the earliest convenience to ensure system security and integrity.

Patch source: https://www.ibm.com/support/pages/node/7247215

Affected Systems and Versions

  • IBM Security Verify Access versions 10.0.0.0 through 10.0.9.0 (appliance and container)
  • IBM Security Verify Access versions 11.0.0.0 through 11.0.1.0 (appliance and container)
  • IBM Verify Identity Access versions matching the above ranges
  • Both traditional appliance and Docker/container deployments are affected

Vendor Security History

IBM Security Verify Access has experienced several privilege escalation and authentication bypass vulnerabilities in recent years. Notable related CVEs include:

  • CVE-2025-36354 (privilege escalation)
  • CVE-2025-36355 (privilege escalation)
  • A set of 32 vulnerabilities disclosed by Pierre Kim in 2024, covering remote code execution, authentication bypass, and local privilege escalation

IBM's Product Security Incident Response Team (PSIRT) manages vulnerability disclosure and patch releases. The vendor typically provides timely advisories and fixes, but the frequency and variety of recent issues reflect the complexity of the product and the ongoing security challenges in this space.

References

Detect & fix
what others miss