CVE-2025-36355: 
IBM Security Verify Access (formerly ISAM) vulnerability analysis and mitigation

IBM Security Verify Access and IBM Security Verify Access Docker versions 10.0.0.0 through 10.0.9.0 and 11.0.0.0 through 11.0.1.0 are affected by a high-severity vulnerability (CVE-2025-36355) that was disclosed on October 6, 2025. The vulnerability allows locally authenticated users to execute malicious scripts from outside of the product's control sphere (IBM Bulletin, Security Online).

The vulnerability has been assigned a CVSS Base Score of 8.5 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L. It is classified under CWE-829 (Inclusion of Functionality from Untrusted Control Sphere). The vulnerability specifically affects both containerized and appliance deployments of the affected products (IBM Bulletin).

This vulnerability could enable client-side code injection or unauthorized execution of external scripts, potentially compromising the security of affected systems. The CVSS scoring indicates high confidentiality impact with low integrity and availability impacts (Security Online).

IBM has released fixes in IBM Security Verify Access 10.0.9.0-IF3 and IBM Verify Identity Access 11.0.1.0-IF1. For container deployments, administrators can pull the latest versions using the command 'docker pull icr.io/isva/verify-access:[latest-tag]' or 'docker pull icr.io/ivia/verify-access:[latest-tag]'. No workarounds are available, making patching the only mitigation option (IBM Bulletin).