Cyber Posture

CVE-2024-45647

Medium

Published: 20 January 2025

Published
20 January 2025
Modified
29 January 2025
KEV Added
Patch
CVSS Score 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0009 25.2th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45647 is a medium-severity Unverified Password Change (CWE-620) vulnerability in Ibm Security Verify Access. Its CVSS base score is 5.6 (Medium).

Operationally, ranked at the 25.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match
prevent

IA-5 mandates verification of identity prior to changing authenticators like passwords, directly preventing unverified password resets for expired user accounts.

AC-2 Account Management good match
prevent

AC-2 requires procedures to disable, monitor, and control modifications to expired or inactive accounts, mitigating unauthorized password changes.

AC-3 Access Enforcement partial match
prevent

AC-3 enforces approved authorizations for access to password change functions, addressing the lack of enforcement allowing unauthenticated resets.

NVD Description

IBM Security Verify Access 10.0.0 through 10.0.8 and IBM Security Verify Access Docker 10.0.0 through 10.0.8 could allow could an unverified user to change the password of an expired user without prior knowledge of that password.

Deeper analysisAI

CVE-2024-45647 is a vulnerability in IBM Security Verify Access versions 10.0.0 through 10.0.8, including the Docker edition (versions 10.0.0 through 10.0.8), that enables an unverified user to change the password of an expired user account without prior knowledge of that password. Published on 2025-01-20, the issue carries a CVSS v3.1 base score of 5.6 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) and maps to CWE-620 (Unverified Password Change) as well as NVD-CWE-Other.

An unauthenticated attacker (PR:N) with network access (AV:N) can exploit this flaw, though it demands high attack complexity (AC:H) and involves no user interaction (UI:N). Exploitation allows the attacker to reset the password of an expired user, resulting in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L) within the unchanged security scope (S:U).

IBM provides details on the vulnerability, affected versions, and remediation steps in its security advisory at https://www.ibm.com/support/pages/node/7176212.

Details

CWE(s)
CWE-620NVD-CWE-Other

Affected Products

ibm
security verify access
10.0.0 — 10.0.8
ibm
security verify access docker
10.0.0 — 10.0.8

CVEs Like This One

CVE-2024-43187Same product: Ibm Security Verify Access
CVE-2025-0161Same product: Ibm Security Verify Access
CVE-2024-49814Same product: Ibm Security Verify Access
CVE-2026-4101Same product: Ibm Security Verify Access
CVE-2026-1343Same product: Ibm Security Verify Access
CVE-2026-1345Same product: Ibm Security Verify Access
CVE-2026-1346Same product: Ibm Security Verify Access
CVE-2026-1342Same product: Ibm Security Verify Access
CVE-2024-56340Same vendor: Ibm
CVE-2025-0162Same vendor: Ibm

References