CVE-2024-22330 is a vulnerability identified in IBM Security Verify Governance version 10.0.2, classified under CWE-521, which relates to weak password requirements. Specifically, the product does not enforce strong password policies by default, allowing users to create weak passwords that are easier for attackers to guess or brute-force. IBM Security Verify Governance is an identity governance and administration (IGA) solution designed to help organizations manage user access and compliance. The lack of enforced strong passwords increases the risk that attackers can compromise user accounts remotely without requiring prior authentication or user interaction. The CVSS v3.1 base score is 5.9 (medium severity), with the vector indicating network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), and no impact on integrity or availability (I:N/A:N). This means an attacker can remotely exploit the vulnerability without authentication or user interaction, but the attack requires high complexity, and the primary impact is on confidentiality, likely through unauthorized access to sensitive information. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability stems from a configuration or design decision that does not mandate strong password policies by default, which is a fundamental security control in identity management systems.

For European organizations using IBM Security Verify Governance 10.0.2, this vulnerability poses a significant risk to the confidentiality of sensitive identity and access management data. Compromise of user accounts could lead to unauthorized access to governance workflows, user entitlement data, and potentially privileged accounts if weak passwords are exploited. This could facilitate insider threat scenarios, privilege escalation, or lateral movement within enterprise networks. Given the critical role of identity governance in regulatory compliance (e.g., GDPR), a breach could also result in legal and financial repercussions. The medium CVSS score reflects that exploitation is not trivial due to high attack complexity, but the lack of required authentication and user interaction lowers the barrier for attackers who can identify weak passwords. European organizations in sectors with stringent compliance requirements such as finance, healthcare, and government are particularly at risk, as identity governance solutions are integral to their security posture. The confidentiality impact could lead to exposure of personal data and access rights, undermining trust and regulatory compliance.

Organizations should immediately review and enforce strong password policies within IBM Security Verify Governance 10.0.2, overriding default settings to require complex passwords (e.g., minimum length, character variety, and prohibiting common passwords). Implement multi-factor authentication (MFA) for all user accounts to reduce reliance on passwords alone. Conduct an audit of existing user accounts to identify and remediate weak passwords. Monitor authentication logs for unusual access patterns indicative of brute-force or credential stuffing attacks. Where possible, upgrade to a later version of the product if IBM releases patches or enhanced security configurations addressing this issue. Additionally, integrate IBM Security Verify Governance with centralized identity and access management solutions that enforce enterprise-wide password policies. Train administrators and users on the importance of strong passwords and secure credential management. Finally, implement network-level protections such as rate limiting and IP blacklisting to mitigate automated attack attempts.