CVE-2025-36356: 
IBM Security Verify Access (formerly ISAM) vulnerability analysis and mitigation

IBM Security Verify Access and IBM Verify Identity Access products are affected by a critical security vulnerability identified as CVE-2025-36356. This vulnerability was disclosed on October 6, 2025, and affects versions 10.0.0.0 through 10.0.9.0-IF2 of IBM Security Verify Access and versions 11.0.0.0 through 11.0.1.0 of IBM Verify Identity Access, in both Docker and Appliance deployments (IBM Security Bulletin).

The vulnerability (CVE-2025-36356) has been assigned a Critical severity rating with a CVSS Base score of 9.3. The vulnerability is classified under CWE-250: Execution with Unnecessary Privileges. The technical root cause stems from the execution of processes with more privileges than required, which could allow privilege escalation to root level (IBM Security Bulletin).

The vulnerability allows a locally authenticated user to escalate their privileges to root level, potentially granting full administrative control to attackers with minimal system access. This could lead to complete system compromise due to the attacker gaining the highest level of system privileges (Security Online).

IBM has released security fixes to address this vulnerability. For IBM Security Verify Access, users should update to version 10.0.9.0-IF3, and for IBM Verify Identity Access, users should update to version 11.0.1.0-IF1. For container deployments, administrators can pull the latest versions directly from IBM's registry using the command 'docker pull icr.io/isva/verify-access:[latest-tag]' for Verify Access and 'docker pull icr.io/ivia/verify-access:[latest-tag]' for Verify Identity Access (IBM Security Bulletin).