CVE-2025-33117

| EUVD-2025-18994 CRITICAL
2025-06-19 [email protected]
9.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 15, 2026 - 00:08 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 00:08 euvd
EUVD-2025-18994
CVE Published
Jun 19, 2025 - 18:15 nvd
CRITICAL 9.1

Tags

IBM Privilege Escalation RCE Qradar Security Information And Event Manager

Description

IBM QRadar SIEM 7.5 through 7.5.0 Update Package 12 could allow a privileged user to modify configuration files that would allow the upload of a malicious autoupdate file to execute arbitrary commands.

Analysis

IBM QRadar SIEM versions 7.5 through 7.5.0 Update Package 12 contains a privilege escalation vulnerability that allows authenticated administrative users to modify configuration files and upload malicious autoupdate packages, leading to arbitrary command execution with system-level privileges. This is a high-severity vulnerability (CVSS 9.1) affecting SIEM infrastructure; while it requires high privileges (PR:H), the network-accessible attack vector (AV:N) and lack of user interaction (UI:N) make it a significant risk in multi-user enterprise environments where administrative credentials may be compromised or misused.

Technical Context

The vulnerability exploits improper input validation in IBM QRadar's autoupdate mechanism (CWE-73: External Control of File Name or Path). QRadar's configuration management and update delivery system fails to properly validate or restrict privileged users' ability to modify configuration files that control the autoupdate process. Specifically, an authenticated administrator can manipulate update package metadata or installation paths to inject and execute arbitrary code during the autoupdate routine, which typically runs with elevated system privileges. This affects QRadar SIEM 7.5.x deployments (CPE: cpe:2.3:a:ibm:qradar_security_information_and_event_management:7.5*), where the autoupdate feature is a core component for deploying security patches and feature updates. The root cause is the lack of cryptographic validation, file integrity checks, or path canonicalization in the update installation logic.

Affected Products

QRadar Security Information and Event Management (SIEM) (['7.5.0', '7.5.0 Update Package 1 through Update Package 12'])

Remediation

Upgrade IBM QRadar SIEM to version 7.5.0 Update Package 13 or later; priority: CRITICAL; timeline: Immediate (within 24-48 hours) Interim Mitigation (if patching delayed): Restrict administrative access to QRadar configuration and autoupdate mechanisms; implement role-based access control (RBAC) to limit which admin accounts can modify update settings; monitor configuration file modifications and autoupdate logs for unauthorized changes; priority: HIGH Detection: Enable and review QRadar audit logs for configuration file modifications (especially update-related configs), monitor system process execution logs for unexpected commands spawned during autoupdate cycles, set alerts on autoupdate package installation anomalies Reference: Consult IBM Security Bulletin and QRadar release notes for detailed patch availability and verification steps; check IBM's official security advisories portal for CVE-2025-33117

Priority Score

46
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +46
POC: 0

Share

CVE-2025-33117 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy