CVE-2025-0163: 
IBM Security Verify Access (formerly ISAM) vulnerability analysis and mitigation

IBM Security Verify Access Appliance and Docker versions 10.0 through 10.0.8 contain a security vulnerability (CVE-2025-0163) discovered and disclosed on June 11, 2025. The vulnerability allows remote attackers to enumerate usernames through observable response discrepancies of disabled accounts (IBM Advisory, NVD).

The vulnerability is classified under CWE-204 (Observable Response Discrepancy) and has been assigned a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. This scoring indicates that the vulnerability can be exploited remotely with low attack complexity, requires no privileges or user interaction, and primarily impacts confidentiality (IBM Advisory).

The vulnerability enables remote attackers to enumerate valid usernames in the system by observing differences in responses when querying disabled accounts. This information disclosure could potentially be used as a stepping stone for further attacks by identifying valid user accounts in the system (Wiz).

IBM has released patches to address this vulnerability. Users are advised to upgrade to IBM Security Verify Access version 10.0.9 or IBM Verify Identity Access 11.0. For Docker installations, users should log into IBM Cloud Registry and execute the corresponding update commands. No workarounds are available for this vulnerability (IBM Advisory).