CVE-2025-0161: 
IBM Security Verify Access (formerly ISAM) vulnerability analysis and mitigation

IBM Security Verify Access Appliance versions 10.0.0.0 through 10.0.0.9 and IBM Verify Identity Access version 11.0.0.0 were found to contain a security vulnerability that could allow a local user to execute arbitrary code. The vulnerability was discovered and reported to IBM by Peter Lambrechtsen from Middleware NZ, with the initial public disclosure made on February 20, 2025 (IBM Security).

The vulnerability is identified as CVE-2025-0161 and is classified as CWE-94: Improper Control of Generation of Code ('Code Injection'). It has received a CVSS Base score of 7.8 with the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a high-severity local security issue. The vulnerability stems from improper restrictions on code generation within the application (IBM Security).

The vulnerability poses significant risks as it allows local users to execute arbitrary code on affected systems. With a CVSS score of 7.8, it indicates high potential impact on confidentiality, integrity, and availability of the system (IBM Security).

IBM has released fixes for affected versions: IBM Security Verify Access 10.0.9.0IF1 for versions 10.0.0.0 through 10.0.9.0, and IBM Verify Identity Access 11.0.0.0IF1 for version 11.0.0.0. IBM strongly recommends that customers update to these latest versions. No alternative workarounds or mitigations have been provided (IBM Security).