What is the CVSS score of CVE-2025-33117?

CVE-2025-33117 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Qradar Security Information And Event Manager are affected by CVE-2025-33117?

IBM QRadar SIEM 7.5 through Update Package 12 contains a critical vulnerability allowing privileged users to execute arbitrary commands through malicious auto-update files, potentially compromising…

How to fix or mitigate CVE-2025-33117?

Within 24 hours: Inventory all QRadar instances, identify affected versions (7.5 through 7.5.0 UP12), and restrict administrative access to configuration and auto-update functionality to only essential personnel with enhanced monitoring. Within 7 days: Implement network segmentation to isolate QRadar from other critical systems, disable auto-update functionality if operationally feasible, and establish enhanced logging for all configuration file modifications. Within 30 days: Upgrade to QRadar 7.5.0 UP13 or later once available, conduct forensic analysis of configuration and update logs for indicators of compromise, and review all privileged user accounts for unauthorized activity.

Qradar Security Information And Event Manager CVE-2025-33117

EUVD-2025-18994 CRITICAL

External Control of File Name or Path (CWE-73)

2025-06-19 psirt@us.ibm.com

Privilege Escalation RCE IBM Qradar Security Information And Event Manager

9.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 00:08 euvd

EUVD-2025-18994

Analysis Generated

Mar 15, 2026 - 00:08 vuln.today

CVE Published

Jun 19, 2025 - 18:15 nvd

CRITICAL 9.1

DescriptionNVD

IBM QRadar SIEM 7.5 through 7.5.0 Update Package 12 could allow a privileged user to modify configuration files that would allow the upload of a malicious autoupdate file to execute arbitrary commands.

AnalysisAI

IBM QRadar SIEM versions 7.5 through 7.5.0 Update Package 12 contains a privilege escalation vulnerability that allows authenticated administrative users to modify configuration files and upload malicious autoupdate packages, leading to arbitrary command execution with system-level privileges. This is a high-severity vulnerability (CVSS 9.1) affecting SIEM infrastructure; while it requires high privileges (PR:H), the network-accessible attack vector (AV:N) and lack of user interaction (UI:N) make it a significant risk in multi-user enterprise environments where administrative credentials may be compromised or misused.

Technical ContextAI

The vulnerability exploits improper input validation in IBM QRadar's autoupdate mechanism (CWE-73: External Control of File Name or Path). QRadar's configuration management and update delivery system fails to properly validate or restrict privileged users' ability to modify configuration files that control the autoupdate process. Specifically, an authenticated administrator can manipulate update package metadata or installation paths to inject and execute arbitrary code during the autoupdate routine, which typically runs with elevated system privileges. This affects QRadar SIEM 7.5.x deployments (CPE: cpe:2.3:a:ibm:qradar_security_information_and_event_management:7.5*), where the autoupdate feature is a core component for deploying security patches and feature updates. The root cause is the lack of cryptographic validation, file integrity checks, or path canonicalization in the update installation logic.

RemediationAI

Upgrade IBM QRadar SIEM to version 7.5.0 Update Package 13 or later; priority: CRITICAL; timeline: Immediate (within 24-48 hours) Interim Mitigation (if patching delayed): Restrict administrative access to QRadar configuration and autoupdate mechanisms; implement role-based access control (RBAC) to limit which admin accounts can modify update settings; monitor configuration file modifications and autoupdate logs for unauthorized changes; priority: HIGH Detection: Enable and review QRadar audit logs for configuration file modifications (especially update-related configs), monitor system process execution logs for unexpected commands spawned during autoupdate cycles, set alerts on autoupdate package installation anomalies Reference: Consult IBM Security Bulletin and QRadar release notes for detailed patch availability and verification steps; check IBM's official security advisories portal for CVE-2025-33117

More from same product – last 7 days

CVE-2026-7524 CRITICAL Act Now

9.8 May 27

Remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.1 lets unauthenticated network attackers run arbitr

CVE-2026-8175 CRITICAL Act Now

9.8 May 27

Remote code execution and authentication bypass are possible in IBM Aspera High-Speed Transfer Server and High-Speed Tra

CVE-2026-7876 CRITICAL Act Now

9.1 May 27

Authentication bypass in IBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I) versions 1.5.1 throu

CVE-2026-5065 HIGH This Week

8.8 May 27

Hard-coded credentials in IBM Controller (versions 11.0.1, 11.1.0, 11.1.1, and 11.1.2) give attackers a static, embedded

CVE-2026-8179 HIGH This Week

8.8 May 27

Arbitrary code execution in IBM Aspera High-Speed Transfer Server and Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1)

CVE-2025-33117 vulnerability details – vuln.today

Back

Qradar Security Information And Event Manager CVE-2025-33117

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code