SB2025121723 - Multiple vulnerabilities in IBM Verify Identity Access and IBM Security Verify Access

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025121723

SB2025121723 - Multiple vulnerabilities in IBM Verify Identity Access and IBM Security Verify Access

Published: December 17, 2025

Security Bulletin ID SB2025121723
Severity
High
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

High 33% Medium 50% Low 17%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Command Injection (CVE-ID: CVE-2025-7962)

The vulnerability allows a remote attacker to execute arbitrary SMTP commands on the system.

The vulnerability exists due to insufficient input validation when handling CR-LF characters in UTF-8 encoding. A remote attacker can pass specially crafted input to the application and execute arbitrary SMTP commands on the server.


2) Stack-based buffer overflow (CVE-ID: CVE-2025-36097)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a stack-based overflow. A remote unauthenticated attacker can send a specially crafted request that cause the server to consume excessive memory resources.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


3) Interpretation Conflict (CVE-ID: CVE-2024-56339)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can bypass security restrictions caused by a failure to honor security configuration. 


4) Privilege Chaining (CVE-ID: CVE-2025-36124)

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to failure to honor JMS messaging configuration. A remote attacker can trigger the vulnerability to bypass security restrictions


5) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-36047)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


6) Cross-site scripting (CVE-ID: CVE-2025-36000)

The disclosed vulnerability allows a remote privileged user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. The vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


Remediation

Install update from vendor's website.

References