Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
AnalysisAI
IBM Security Verify Access and Verify Identity Access products versions 10.0 through 10.0.9.1 and 11.0 through 11.0.2 use cryptographic algorithms weaker than expected, allowing authenticated network attackers to decrypt highly sensitive information. The vulnerability affects both containerized and non-containerized deployments across multiple major versions. CVSS 6.5 reflects high confidentiality impact with low attack complexity, though authenticated access is required.
Technical ContextAI
IBM Security Verify Access is an identity and access management platform providing authentication, authorization, and single sign-on capabilities. The vulnerability resides in the cryptographic implementation used to protect sensitive data in transit or at rest within the platform. Rather than a specific protocol flaw, this represents a deliberate choice of weaker cryptographic algorithms-likely AES with insufficient key strength, outdated symmetric algorithms, or weak key derivation functions-that fall short of current industry standards for protecting highly sensitive identity and access control data. CWE classification was not provided by IBM, but this pattern aligns with CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) and CWE-326 (Inadequate Encryption Strength).
RemediationAI
Upgrade IBM Security Verify Access to a version newer than 10.0.9.1 or 11.0.2 once available from IBM. Contact IBM support via https://www.ibm.com/support/pages/node/7269372 for confirmed fixed versions and upgrade timelines, as the advisory does not specify exact patch release versions at this time. Until patching is feasible, implement compensating controls: restrict network access to Verify Access management interfaces and APIs to trusted networks using firewall rules or network segmentation, enforce mutual TLS with strong cipher suites for all connections to the platform, rotate and audit service account credentials that may have accessed encrypted data under the weaker algorithm, and consider disabling features or integrations that rely on the vulnerable cryptographic implementation if operationally feasible. The trade-off of network restriction is reduced accessibility for remote administrators; the trade-off of cipher-suite enforcement is potential compatibility issues with legacy clients.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25135
GHSA-5rff-j8g7-m3r3