{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-36074", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2025-04-15T21:16:13.121Z", "datePublished": "2026-04-22T23:39:34.598Z", "dateUpdated": "2026-04-23T14:35:26.541Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-04-22T23:39:34.598Z"}, "title": "Security vulnerability has been detected in IBM Security Verify Directory", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "type": "CWE"}]}], "affected": [{"vendor": "IBM", "product": "Security Verify Directory (Container)", "versions": [{"status": "affected", "version": "10.0.0", "lessThanOrEqual": "10.0.0.3", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:security_verify_directory_container:10.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:security_verify_directory_container:10.0.0.3:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "IBM Security Verify Directory (Container) 10.0.0 through 10.0.0.3 IBM Security Verify Directory could be vulnerable to malicious file upload by not validating file type. A privileged user could upload malicious files into the system that can be sent to victims for performing further attacks against the system.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM Security Verify Directory (Container) 10.0.0 through 10.0.0.3 IBM Security Verify Directory could be vulnerable to malicious file upload by not validating file type. A privileged user could upload malicious files into the system that can be sent to victims for performing further attacks against the system.</p>"}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7268907", "tags": ["vendor-advisory", "patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW", "baseSeverity": "MEDIUM", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L"}}], "solutions": [{"lang": "en", "value": "IBM strongly encourages customers to update their systems promptly.\n\nProduct(s)Affected Version(s)FixIBM Security Verify Directory (Container)10.0.0-10.0.3 https://www.ibm.com/support/pages/ibm-security-verify-directory-version-10040-download-document", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p><strong>IBM strongly encourages customers to update their systems promptly.</strong></p><div><table><tbody><tr><td><strong>Product(s)</strong></td><td><strong>Affected Version(s)</strong></td><td><strong>Fix</strong></td></tr><tr><td>IBM Security Verify Directory (Container)</td><td>10.0.0-10.0.3</td><td><a href=\"https://www.ibm.com/support/pages/ibm-security-verify-directory-version-10040-download-document\" rel=\"nofollow\">https://www.ibm.com/support/pages/ibm-security-verify-directory-version-10040-download-document</a></td></tr></tbody></table></div><p></p>"}]}], "x_generator": {"engine": "ibm-cvegen"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T14:35:10.553484Z", "id": "CVE-2025-36074", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T14:35:26.541Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-36074", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2025-04-15T21:16:13.121Z", "datePublished": "2026-04-22T23:39:34.598Z", "dateUpdated": "2026-04-23T14:35:26.541Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-04-22T23:39:34.598Z"}, "title": "Security vulnerability has been detected in IBM Security Verify Directory", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "type": "CWE"}]}], "affected": [{"vendor": "IBM", "product": "Security Verify Directory (Container)", "versions": [{"status": "affected", "version": "10.0.0", "lessThanOrEqual": "10.0.0.3", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:security_verify_directory_container:10.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:security_verify_directory_container:10.0.0.3:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "IBM Security Verify Directory (Container) 10.0.0 through 10.0.0.3 IBM Security Verify Directory could be vulnerable to malicious file upload by not validating file type. A privileged user could upload malicious files into the system that can be sent to victims for performing further attacks against the system.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM Security Verify Directory (Container) 10.0.0 through 10.0.0.3 IBM Security Verify Directory could be vulnerable to malicious file upload by not validating file type. A privileged user could upload malicious files into the system that can be sent to victims for performing further attacks against the system.</p>"}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7268907", "tags": ["vendor-advisory", "patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW", "baseSeverity": "MEDIUM", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L"}}], "solutions": [{"lang": "en", "value": "IBM strongly encourages customers to update their systems promptly.\n\nProduct(s)Affected Version(s)FixIBM Security Verify Directory (Container)10.0.0-10.0.3 https://www.ibm.com/support/pages/ibm-security-verify-directory-version-10040-download-document", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p><strong>IBM strongly encourages customers to update their systems promptly.</strong></p><div><table><tbody><tr><td><strong>Product(s)</strong></td><td><strong>Affected Version(s)</strong></td><td><strong>Fix</strong></td></tr><tr><td>IBM Security Verify Directory (Container)</td><td>10.0.0-10.0.3</td><td><a href=\"https://www.ibm.com/support/pages/ibm-security-verify-directory-version-10040-download-document\" rel=\"nofollow\">https://www.ibm.com/support/pages/ibm-security-verify-directory-version-10040-download-document</a></td></tr></tbody></table></div><p></p>"}]}], "x_generator": {"engine": "ibm-cvegen"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-36074", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-23T14:35:10.553484Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T14:35:21.448Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:security_verify_directory:*:*:*:*:*:*:*:*", "matchCriteriaId": "8B656697-5EF2-4D96-8CB3-1D8D36947ECC", "versionEndIncluding": "10.0.3", "versionStartIncluding": "10.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Security Verify Directory (Container) 10.0.0 through 10.0.0.3 IBM Security Verify Directory could be vulnerable to malicious file upload by not validating file type. A privileged user could upload malicious files into the system that can be sent to victims for performing further attacks against the system."}], "id": "CVE-2025-36074", "lastModified": "2026-05-13T23:08:37.987", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 4.2, "source": "psirt@us.ibm.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-23T00:16:43.093", "references": [{"source": "psirt@us.ibm.com", "tags": ["Vendor Advisory"], "url": "https://www.ibm.com/support/pages/node/7268907"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "psirt@us.ibm.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.0.0,10.0.0.3]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Security Verify Directory (Container)", "source": "cna", "vendor": "IBM"}, "product": "security_verify_directory_container", "vendor": "ibm"}], "analysis": {"en": {"generated_at": "2026-04-29T02:21:29.801783+00:00", "value": {"mitigation_remediation": ["Download and install the latest IBM Security Verify Directory (Container) update from the IBM support page (e.g., version 10.0.4) as described in the official advisory.", "Configure the application to reject all non\u2011whitelisted file types during upload by enforcing strict MIME type checks.", "Restrict file uploads to authenticated privileged users only, disabling any anonymous or generic upload endpoints."], "summary": {"action": "Apply Patch", "impact": "Malicious File Upload"}, "threat_synthesis": {"affected_systems": "The vulnerability affects IBM Security Verify Directory (Container) releases 10.0.0, 10.0.0.1, 10.0.0.2, and 10.0.0.3.", "description_and_impact": "IBM Security Verify Directory (Container) versions 10.0.0 through 10.0.0.3 allow a privileged user to upload files without validating the file type. By uploading arbitrary files, an attacker can place malicious payloads on the system that may later be sent to other users, potentially enabling phishing or remote code execution on victim machines.", "risk_and_exploitability": "The CVSS score of 5.5 indicates a moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation at this time. The flaw is not listed in the CISA KEV catalog. Exploitation requires a privileged user or local/remote access to the container and the ability to upload a file that the system will later deliver to victims. The risk is increased if the system automatically distributes or executes uploaded files, but the narrow scope and low EPSS score mitigate immediate widespread impact."}}}}, "created": "2026-04-28T04:15:15.761035+00:00", "updated": "2026-04-29T02:30:07.582902+00:00", "vendors": ["ibm", "ibm$PRODUCT$security_verify_directory_container"]}