CVE-2024-49803: 
IBM Security Verify Access (formerly ISAM) vulnerability analysis and mitigation

IBM Security Verify Access Appliance versions 10.0.0 through 10.0.8 contains a critical vulnerability (CVE-2024-49803) that was disclosed on November 29, 2024. The vulnerability allows a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request (IBM Advisory).

The vulnerability is classified as an OS Command Injection (CWE-78) vulnerability, specifically involving improper neutralization of special elements used in OS commands. It has received a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability can be exploited over the network, requires low attack complexity, needs low-level privileges, and doesn't require user interaction (NVD).

The successful exploitation of this vulnerability could result in high impacts on confidentiality, integrity, and availability of the affected system. An attacker could potentially execute arbitrary commands on the system, leading to complete system compromise (IBM Advisory).

IBM has released a fix for the vulnerability. Users of IBM Security Verify Appliance versions 10.0.0 through 10.0.8 IF1 should upgrade to version 10.0.8-ISS-ISVA-FP0002. No workarounds are available for this vulnerability, making the patch installation critical (IBM Advisory).

The vulnerability was reported to IBM by security researchers Antonin B., Christophe S., and Ianis Bernard from the NATO Communication and Information Agency (IBM Advisory).