IBM Security Verify Directory CVE-2025-36074

| EUVD-2025-209557 MEDIUM
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-04-23 [email protected] GHSA-w9g3-hc6p-qwh3
IBM File Upload
5.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Apr 23, 2026 - 07:01 vuln.today

DescriptionNVD

IBM Security Verify Directory (Container) 10.0.0 through 10.0.0.3 IBM Security Verify Directory could be vulnerable to malicious file upload by not validating file type. A privileged user could upload malicious files into the system that can be sent to victims for performing further attacks against the system.

AnalysisAI

IBM Security Verify Directory (Container) versions 10.0.0 through 10.0.0.3 fails to validate uploaded file types, allowing privileged users to upload malicious files that can be distributed to victims for lateral attacks. The vulnerability requires high-privilege credentials but enables integrity compromise and partial availability impact once exploited.

Technical ContextAI

IBM Security Verify Directory is an identity and access management directory service typically deployed in containerized environments. The vulnerability stems from insufficient input validation on file upload functionality, classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The lack of file type validation means the application accepts executable, script, or other dangerous file formats without sanitization or verification. This is particularly dangerous in directory services which often handle authentication and authorization data, as uploaded malicious files can be retrieved and executed by victims or integrated into workflows.

RemediationAI

Upgrade IBM Security Verify Directory (Container) to version 10.0.0.4 or later. If immediate patching is not feasible, restrict upload functionality to dedicated service accounts with minimal privileges and audit all uploads via container logs or SIEM integration. Implement network segmentation to prevent untrusted users from accessing the file upload interface, and consider disabling file upload features entirely if not required for business operations. Additionally, enforce file type whitelisting at the container level using AppArmor or SELinux policies to restrict what file types the application process can execute. Note that network restriction is only a compensating control and does not eliminate the underlying validation flaw.

Share

CVE-2025-36074 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy