CVE-2025-36355 — Inclusion of Functionality from Untrusted Control Sphere in IBM Security Verify Access

CWE-829 — Inclusion of Functionality from Untrusted Control Sphere3 documents3 sources

Severity

8.5HIGHNVD

EPSS

0.0%

top 98.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Security Verify Access IBM Security Verify Access Docker IBM Verify Identity Access +2 more

Timeline

PublishedOct 6

Description

IBM Security Verify Access and IBM Security Verify Access Docker 10.0.0.0 through 10.0.9.0 and 11.0.0.0 through 11.0.1.0 could allow a locally authenticated user to execute malicious scripts from outside of its control sphere.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:LExploitability: 2.5 | Impact: 5.3

Affected Packages6 packages

▶NVDibm/security_verify_access_docker10.0.0.0 — 10.0.9.0+1

▶CVEListV5ibm/security_verify_access_docker10.0.0.0 — 10.0.9.0 IF2+1

▶NVDibm/security_verify_access10.0.0.0 — 10.0.9.0+1

▶CVEListV5ibm/security_verify_access_appliance10.0.0.0 — 10.0.9.0 IF2+1

▶NVDibm/verify_identity_access_docker11.0.0.0 — 11.0.1.0+1

Patches

Patch: www.ibm.com ↗

🔴Vulnerability Details

CVEList

IBM Security Verify Access code execution↗2025-10-06

▶

GHSA

GHSA-qjrx-w3xm-c4fj: IBM Security Verify Access and IBM Security Verify Access Docker 10↗2025-10-06

▶