CVE-2025-36354: 
IBM Security Verify Access (formerly ISAM) vulnerability analysis and mitigation

IBM Security Verify Access and IBM Security Verify Access Docker versions 10.0.0.0 through 10.0.9.0 and 11.0.0.0 through 11.0.1.0 are affected by a security vulnerability identified as CVE-2025-36354. This vulnerability allows an unauthenticated user to execute arbitrary commands with lower user privileges on the system due to improper validation of user-supplied input. The vulnerability was disclosed on October 6, 2025, and has been assigned a CVSS Base Score of 7.3 (High) (IBM Security Bulletin).

The vulnerability is classified under CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). It has been assigned a CVSS v3.1 Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating network accessibility, low attack complexity, no privileges required, and no user interaction needed. The vulnerability affects both containerized and appliance deployments of the software (IBM Security Bulletin).

The exploitation of this vulnerability could lead to unauthorized command execution with lower user privileges on affected systems. The impact spans across confidentiality, integrity, and availability, each rated as Low in the CVSS scoring. This indicates potential unauthorized access to information, modification of system data, and potential service disruptions (Security Online).

IBM has released security fixes in IBM Security Verify Access version 10.0.9.0-IF3 and IBM Verify Identity Access version 11.0.1.0-IF1. For container deployments, administrators can obtain the latest version by running the command 'docker pull icr.io/isva/verify-access:[tag]' or 'docker pull icr.io/ivia/verify-access:[tag]' where [tag] is the latest published version. No workarounds have been provided as alternatives to patching (IBM Security Bulletin).

The vulnerability has drawn attention from security researchers, including acknowledgment of coordinated vulnerability disclosure by researchers from various institutions such as COSIC at KU Leuven, University of Lubeck, CISPA Helmholtz Center for Information Security, University of Birmingham, and DistriNet at KU Leuven (IBM Security Bulletin).