CVE-2025-0163
BaseFortify
Publication date: 2025-06-11
Last updated on: 2025-08-13
Assigner: IBM Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ibm | security_verify_access | From 10.0.0.0 (inc) to 10.0.9.0 (inc) |
| ibm | security_verify_access_docker | From 10.0.0.0 (inc) to 10.0.9.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-204 | The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in IBM Security Verify Access Appliance and Docker versions 10.0 through 10.0.8 allows a remote attacker to enumerate usernames by exploiting differences in system responses related to disabled accounts. This is known as an observable response discrepancy (CWE-204), where the system's behavior reveals information about which usernames exist or are disabled. [1]
How can this vulnerability impact me? :
The vulnerability allows an attacker to remotely discover valid usernames on the affected systems without needing any privileges or user interaction. This can aid attackers in further attacks such as targeted phishing or brute force attempts. The confidentiality impact is low, and there is no impact on integrity or availability. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to promptly apply the updates provided by IBM. Specifically, upgrade IBM Security Verify Access Appliance to version 10.0.9 or later, or IBM Verify Identity Access to version 11.0 or later. These updates are available via Passport Advantage, Fix Central, IBM Cloud Registry (for Docker images), and AWS Marketplace. No workarounds or alternative mitigations are provided. [1]