A critical privilege escalation vulnerability has been identified in IBM Security Verify Access products, assigned CVE-2025-36356 with a CVSS score of 9.3. This flaw allows a user who is already authenticated on the local system to gain full administrative (root) privileges. Successful exploitation would result in a complete compromise of the affected identity and access management system, enabling an attacker to steal sensitive data, disrupt security services, and potentially gain access to other connected systems.

This is a local privilege escalation (LPE) vulnerability. An attacker must first have valid, low-privilege user credentials and be able to execute code on the target system. By exploiting the unspecified flaw, the authenticated user can elevate their permissions to the root user, which is the highest level of administrative access on the system. This bypasses all intended security restrictions, giving the attacker complete control over the appliance or container.

This vulnerability is rated as critical severity with a CVSS score of 9.3. A compromise of an IBM Security Verify Access system, which is a core component of an organization's identity and access management (IAM) infrastructure, would have a severe business impact. An attacker with root access can access and exfiltrate all sensitive data managed by the system, including user credentials, API keys, and security tokens. They could also manipulate access policies, create rogue administrator accounts, disable security logging, and use the compromised system as a trusted launchpad for further attacks across the corporate network, leading to a widespread breach.

Immediate Action: Prioritize the deployment of security patches provided by IBM. All instances of IBM Security Verify Access and IBM Security Verify Access Docker should be updated to a version that remediates this vulnerability. After patching, review system and application logs for any signs of compromise or attempted exploitation that may have occurred prior to the update.

Proactive Monitoring: Implement enhanced monitoring on affected systems. Security teams should look for unusual activity from non-administrative accounts, such as attempts to access or modify system-level files, unexpected processes running with elevated privileges (root), or the execution of suspicious commands. Monitor audit logs (e.g., auditd) for privilege escalation events and review SSH and local login records for anomalous patterns.

Compensating Controls: If immediate patching is not feasible, apply the principle of least privilege by severely restricting local user access to the appliances. Limit shell access to only essential administrative personnel. Deploy an Endpoint Detection and Response (EDR) agent or Host-based Intrusion Detection System (HIDS) to detect and block suspicious behavior associated with privilege escalation techniques.

Public Exploit Available: false

Given the critical 9.3 CVSS score and the potential for a complete system compromise, we strongly recommend that organizations patch all affected IBM Security Verify Access systems immediately. Although this vulnerability requires an attacker to have prior local access, the risk is severe because a compromised low-privilege account (e.g., through phishing or another vulnerability) could be leveraged to take full control of this critical security infrastructure. The priority for remediation should be high, as the lack of a current public exploit does not guarantee safety from targeted attacks.