Cyber Resilience

CVE-2024-45647

Medium

Published: 20 January 2025

Published
20 January 2025
Modified
29 January 2025
KEV Added
Patch
CVSS Score v3.1 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0012 30.8th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45647 is a medium-severity Unverified Password Change (CWE-620) vulnerability in Ibm Security Verify Access. Its CVSS base score is 5.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Account Manipulation (T1098); ranked at the 30.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2024-45647 is a vulnerability in IBM Security Verify Access versions 10.0.0 through 10.0.8, including the Docker edition (versions 10.0.0 through 10.0.8), that enables an unverified user to change the password of an expired user account without prior knowledge of that password. Published on 2025-01-20, the issue carries a CVSS v3.1 base score of 5.6 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) and maps to CWE-620 (Unverified Password Change) as well as NVD-CWE-Other.

An unauthenticated attacker (PR:N) with network access (AV:N) can exploit this flaw, though it demands high attack complexity (AC:H) and involves no user interaction (UI:N). Exploitation allows the attacker to reset the password of an expired user, resulting in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L) within the unchanged security scope (S:U).

IBM provides details on the vulnerability, affected versions, and remediation steps in its security advisory at https://www.ibm.com/support/pages/node/7176212.

EU & UK References

Vulnerability details

IBM Security Verify Access 10.0.0 through 10.0.8 and IBM Security Verify Access Docker 10.0.0 through 10.0.8 could allow could an unverified user to change the password of an expired user without prior knowledge of that password.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vuln enables unauthenticated password reset on existing accounts (maps to Account Manipulation) and is exploitable remotely against a public-facing IAM app (T1190).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-43187Same product: Ibm Security Verify Access
CVE-2025-0161Same product: Ibm Security Verify Access
CVE-2024-49814Same product: Ibm Security Verify Access
CVE-2026-1343Same product: Ibm Security Verify Access
CVE-2026-4101Same product: Ibm Security Verify Access
CVE-2026-1345Same product: Ibm Security Verify Access
CVE-2026-8633Same vendor: Ibm
CVE-2025-0159Same vendor: Ibm
CVE-2023-49886Same vendor: Ibm
CVE-2026-8620Same vendor: Ibm

Affected Assets

ibm
security verify access
10.0.0 — 10.0.8
ibm
security verify access docker
10.0.0 — 10.0.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 mandates verification of identity prior to changing authenticators like passwords, directly preventing unverified password resets for expired user accounts.

prevent

AC-2 requires procedures to disable, monitor, and control modifications to expired or inactive accounts, mitigating unauthorized password changes.

prevent

AC-3 enforces approved authorizations for access to password change functions, addressing the lack of enforcement allowing unauthenticated resets.

References