CVE-2025-36355 is a vulnerability classified under CWE-829, which involves the inclusion of functionality from an untrusted control sphere. Specifically, this affects IBM Security Verify Access Appliance versions 10.0.0.0 through 10.0.9.0 and 11.0.0.0 through 11.0.1.0. The vulnerability allows a locally authenticated user to execute malicious scripts that originate from outside the appliance's trusted control environment. This means that the appliance improperly trusts and executes code or scripts that should be outside its security boundary, leading to potential unauthorized actions. The vulnerability does not require elevated privileges (PR:N) or user interaction (UI:N), but does require local authentication (AV:L). The CVSS v3.1 base score is 8.5, indicating high severity with significant confidentiality impact (C:H), limited integrity impact (I:L), and limited availability impact (A:L). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. Although no known exploits are currently reported, the nature of the vulnerability suggests that an attacker with local access could leverage it to execute arbitrary scripts, potentially leading to data exposure or partial system compromise. The vulnerability affects critical identity and access management infrastructure, which is central to enterprise security postures. IBM has not yet published patches at the time of this report, so mitigation relies on access controls and monitoring.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of identity and access management systems. IBM Security Verify Access Appliance is widely used in enterprises for authentication, authorization, and access control. Exploitation could allow an attacker with local access to execute malicious scripts, potentially leading to unauthorized data access, privilege escalation, or disruption of authentication services. This could result in data breaches, compliance violations (e.g., GDPR), and operational downtime. Given the appliance’s role in securing access to critical systems, the impact could cascade to other connected infrastructure. Organizations in sectors such as finance, government, healthcare, and telecommunications are particularly at risk due to their reliance on robust identity management. The requirement for local authentication limits remote exploitation but does not eliminate risk from insider threats or compromised internal accounts. The changed scope indicates that the vulnerability could affect other components or systems beyond the appliance itself, increasing potential damage.

1. Immediately restrict local access to IBM Security Verify Access Appliances to trusted administrators only, enforcing strict access controls and monitoring. 2. Implement enhanced logging and alerting for any script execution or unusual activity on the appliance to detect potential exploitation attempts. 3. Apply network segmentation to isolate the appliance from less trusted internal networks and users. 4. Monitor user accounts with local access for suspicious behavior and enforce strong authentication mechanisms, including multi-factor authentication. 5. Once IBM releases patches or updates addressing CVE-2025-36355, prioritize their deployment in all affected environments. 6. Conduct regular security audits and vulnerability assessments on identity and access management infrastructure. 7. Educate administrators about the risks of executing untrusted scripts and enforce policies to prevent unauthorized code execution. 8. Consider temporary compensating controls such as disabling non-essential scripting features if feasible until patches are available.