Skip to main content

Qradar Security Information And Event Manager CVE-2025-33117

| EUVDEUVD-2025-18994 CRITICAL
External Control of File Name or Path (CWE-73)
2025-06-19 psirt@us.ibm.com
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 15, 2026 - 00:08 euvd
EUVD-2025-18994
Analysis Generated
Mar 15, 2026 - 00:08 vuln.today
CVE Published
Jun 19, 2025 - 18:15 nvd
CRITICAL 9.1

DescriptionCVE.org

IBM QRadar SIEM 7.5 through 7.5.0 Update Package 12 could allow a privileged user to modify configuration files that would allow the upload of a malicious autoupdate file to execute arbitrary commands.

AnalysisAI

IBM QRadar SIEM versions 7.5 through 7.5.0 Update Package 12 contains a privilege escalation vulnerability that allows authenticated administrative users to modify configuration files and upload malicious autoupdate packages, leading to arbitrary command execution with system-level privileges. This is a high-severity vulnerability (CVSS 9.1) affecting SIEM infrastructure; while it requires high privileges (PR:H), the network-accessible attack vector (AV:N) and lack of user interaction (UI:N) make it a significant risk in multi-user enterprise environments where administrative credentials may be compromised or misused.

Technical ContextAI

The vulnerability exploits improper input validation in IBM QRadar's autoupdate mechanism (CWE-73: External Control of File Name or Path). QRadar's configuration management and update delivery system fails to properly validate or restrict privileged users' ability to modify configuration files that control the autoupdate process. Specifically, an authenticated administrator can manipulate update package metadata or installation paths to inject and execute arbitrary code during the autoupdate routine, which typically runs with elevated system privileges. This affects QRadar SIEM 7.5.x deployments (CPE: cpe:2.3:a:ibm:qradar_security_information_and_event_management:7.5*), where the autoupdate feature is a core component for deploying security patches and feature updates. The root cause is the lack of cryptographic validation, file integrity checks, or path canonicalization in the update installation logic.

RemediationAI

Upgrade IBM QRadar SIEM to version 7.5.0 Update Package 13 or later; priority: CRITICAL; timeline: Immediate (within 24-48 hours) Interim Mitigation (if patching delayed): Restrict administrative access to QRadar configuration and autoupdate mechanisms; implement role-based access control (RBAC) to limit which admin accounts can modify update settings; monitor configuration file modifications and autoupdate logs for unauthorized changes; priority: HIGH Detection: Enable and review QRadar audit logs for configuration file modifications (especially update-related configs), monitor system process execution logs for unexpected commands spawned during autoupdate cycles, set alerts on autoupdate package installation anomalies Reference: Consult IBM Security Bulletin and QRadar release notes for detailed patch availability and verification steps; check IBM's official security advisories portal for CVE-2025-33117

CVE-2018-1418 HIGH POC
8.8 Apr 26

IBM Security QRadar SIEM 7.2 and 7.3 could allow a user to bypass authentication which could lead to code execution. Rat

CVE-2020-4280 HIGH POC
8.8 Oct 08

IBM QRadar SIEM 7.3 and 7.4 could allow a remote attacker to execute arbitrary commands on the system, caused by insecur

CVE-2020-4272 HIGH POC
8.8 Apr 15

IBM QRadar 7.3.0 to 7.3.3 Patch 2 could allow a remote attacker to include arbitrary files. Rated high severity (CVSS 8.

CVE-2018-1612 MEDIUM POC
5.8 Jul 17

IBM QRadar Incident Forensics (IBM QRadar SIEM 7.2, and 7.3) could allow a remote attacker to bypass authentication and

CVE-2020-4270 HIGH POC
7.8 Apr 15

IBM QRadar 7.3.0 to 7.3.3 Patch 2 could allow a local user to gain escalated privileges due to weak file permissions. Ra

CVE-2020-4269 HIGH POC
7.5 Apr 15

IBM QRadar 7.3.0 to 7.3.3 Patch 2 contains hard-coded credentials, such as a password or cryptographic key, which it use

CVE-2014-3062 CRITICAL
9.3 Sep 27

Unspecified vulnerability in IBM Security QRadar SIEM 7.1 MR2 and 7.2 MR2 allows remote attackers to execute arbitrary c

CVE-2020-4294 MEDIUM POC
6.3 Apr 15

IBM QRadar 7.3.0 to 7.3.3 Patch 2 is vulnerable to Server Side Request Forgery (SSRF). Rated medium severity (CVSS 6.3),

CVE-2020-4271 MEDIUM POC
6.3 Apr 15

IBM QRadar 7.3.0 to 7.3.3 Patch 2 could allow an authenticated user to send a specially crafted command which would be e

CVE-2017-1696 HIGH
8.8 Dec 20

IBM QRadar 7.2 and 7.3 could allow a remote authenticated attacker to execute arbitrary commands on the system. Rated hi

CVE-2015-4930 CRITICAL
9.0 Oct 04

IBM QRadar SIEM 7.1 MR2 before Patch 11 IF02 and 7.2.x before 7.2.5 Patch 4 allows remote authenticated users to execute

CVE-2020-4274 MEDIUM POC
5.4 Apr 15

IBM QRadar 7.3.0 to 7.3.3 Patch 2 could allow an authenticated user to access data and perform unauthorized actions due

Share

CVE-2025-33117 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy