Severity by source
AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a locally authenticated user to escalate their privileges to root due to execution with unnecessary privileges than required.
AnalysisAI
Local privilege escalation to root in IBM Verify/Security Verify Access products 10.0-11.0.2 allows unauthenticated local users to gain full system control via excessive process privileges (CWE-250). The CVSS 9.3 score reflects local attack vector but no authentication requirement (PR:N) and complete system compromise with scope change. Patch available per vendor advisory. No public exploit identified at time of analysis, though the local attack vector and low complexity (AC:L) suggest straightforward exploitation once local access is obtained.
Technical ContextAI
This vulnerability stems from CWE-250 (Execution with Unnecessary Privileges), where IBM Verify/Security Verify Access components run processes with elevated privileges beyond operational requirements. The affected products span both containerized (Verify Identity Access Container, Security Verify Access Container) and traditional deployment models (Verify Identity Access, Security Verify Access) across versions 10.0 through 11.0.2. The CVSS vector indicates local attack surface (AV:L), meaning exploitation requires existing local system access, but critically shows PR:N (no privileges required) - the attacker needs no authentication beyond basic local user access. The scope change (S:C) indicates the vulnerability allows escaping the security context of the vulnerable component to impact the broader system, consistent with local-to-root escalation scenarios common in enterprise identity and access management platforms where service accounts or executables run with SUID/sudo privileges unnecessarily.
RemediationAI
Patch available per vendor advisory at https://www.ibm.com/support/pages/node/7268253. Organizations should immediately consult this IBM support page for specific patched versions and upgrade paths for their deployment model (containerized vs traditional). IBM typically provides interim workarounds or hardening guidance in their advisories for customers unable to patch immediately. Until patching is complete, implement compensating controls: restrict local system access to IBM Verify infrastructure through network segmentation and jump host architectures, enforce multi-factor authentication for all administrative access, enable comprehensive process execution monitoring to detect unexpected privilege escalation attempts, and review system logs for unauthorized root-level activities. Given the local attack vector, prioritize removing unnecessary local user accounts and disabling unused services that could provide initial foothold access.
Same weakness CWE-250 – Execution with Unnecessary Privileges
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20001