Skip to main content

Kubernetes CVE-2025-2241

HIGH
Insecure Storage of Sensitive Information (CWE-922)
2025-03-17 secalert@redhat.com GHSA-c339-mwfc-fmr2
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
SUSE
HIGH
qualitative
Red Hat
8.2 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 18, 2026 - 16:22 vuln.today
CVE Published
Mar 17, 2025 - 17:15 nvd
HIGH 8.2

DescriptionCVE.org

A flaw was found in Hive, a component of Multicluster Engine (MCE) and Advanced Cluster Management (ACM). This vulnerability causes VCenter credentials to be exposed in the ClusterProvision object after provisioning a VSphere cluster. Users with read access to ClusterProvision objects can extract sensitive credentials even if they do not have direct access to Kubernetes Secrets. This issue can lead to unauthorized VCenter access, cluster management, and privilege escalation.

AnalysisAI

A credential exposure vulnerability in Red Hat Hive, a component of Multicluster Engine (MCE) and Advanced Cluster Management (ACM), allows VCenter credentials to leak into ClusterProvision objects after VSphere cluster provisioning. Users with read access to ClusterProvision objects can extract these credentials without needing direct Kubernetes Secret access, enabling unauthorized VCenter access, cluster manipulation, and privilege escalation. With an EPSS score of 0.13% (32nd percentile), active exploitation is currently assessed as low probability, and no public exploits have been reported.

Technical ContextAI

This vulnerability affects Red Hat Hive, an operator for provisioning and managing OpenShift clusters in hybrid cloud environments, specifically within Multicluster Engine and Advanced Cluster Management products. The root cause falls under CWE-922 (Insecure Storage of Sensitive Information), where VCenter authentication credentials are improperly stored in ClusterProvision custom resource objects after VMware vSphere cluster provisioning operations. This violates Kubernetes security best practices by exposing sensitive data outside the intended Secret storage mechanism, allowing users with RBAC permissions to read ClusterProvision objects to access credentials they should not have visibility into.

Affected ProductsAI

Red Hat Advanced Cluster Management (ACM) and Red Hat Multicluster Engine (MCE) are affected through their embedded Hive component used for VSphere cluster provisioning. The vulnerability impacts deployments that provision VMware vSphere clusters through Hive's ClusterProvision workflow. Specific version information is available in Red Hat Bugzilla 2351350 at https://bugzilla.redhat.com/show_bug.cgi?id=2351350 and the official Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2025-2241. Organizations using Hive for vSphere cluster management in OpenShift environments should verify their deployment status.

RemediationAI

Apply the patch available in GitHub pull request #2612 at https://github.com/openshift/hive/pull/2612, which addresses the credential exposure issue in Hive's ClusterProvision objects. Red Hat customers should monitor the official security advisory at https://access.redhat.com/security/cve/CVE-2025-2241 for updated packages and follow Red Hat's update procedures for ACM and MCE components. As an interim mitigation, restrict RBAC permissions to ClusterProvision objects to only essential users and service accounts, audit existing access logs for unauthorized ClusterProvision reads, and rotate VCenter credentials for environments where unauthorized access may have occurred. Consider implementing additional monitoring for ClusterProvision object access patterns to detect potential credential harvesting attempts.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Server 16.0 Fixed
openSUSE Tumbleweed Fixed

Share

CVE-2025-2241 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy