EUVD-2025-208854
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4Description
IBM QRadar SIEM 7.5.0 through 7.5.0 Update Package 14 stores potentially sensitive information in configuration files that could be read by a local user.
Analysis
IBM QRadar SIEM versions 7.5.0 through 7.5.0 Update Package 14 contain an information disclosure vulnerability where sensitive configuration data is stored in plaintext or insufficiently protected files readable by unprivileged local users. An attacker with local filesystem access can read these configuration files to extract sensitive information such as credentials, API keys, or system parameters, potentially enabling lateral movement or further compromise of the SIEM infrastructure. A patch is available from IBM, and this vulnerability should be prioritized for organizations running affected QRadar versions as SIEM systems are high-value targets.
Technical Context
This vulnerability is rooted in CWE-538 (Insertion of Sensitive Information into Externally-Accessible File or Directory), a well-known weakness where sensitive data persists in locations with overly permissive access controls. The affected product is IBM QRadar SIEM (identified via CPE cpe:2.3:a:ibm:qradar_siem), a centralized security information and event management platform that aggregates logs and security telemetry across enterprise environments. QRadar stores configuration data including authentication credentials, integration details, and system parameters in configuration files. The vulnerability exists because these files are readable by local system users without requiring elevated privileges, violating the principle of least privilege. The root cause is improper file permission enforcement during installation or configuration file generation, allowing non-root users to access files containing secrets that should be restricted to the QRadar application runtime or administrative users only.
Affected Products
IBM QRadar SIEM versions 7.5.0 through 7.5.0 Update Package 14 are affected, as identified by the CPE designation cpe:2.3:a:ibm:qradar_siem. This affects all minor and patch versions within the 7.5.0 branch up to and including Update Package 14. Organizations running QRadar 7.5.0 with any update level from the initial release through UP14 should assess their environment for exposure. IBM has confirmed this vulnerability and provided detailed impact scope in their official security support page at https://www.ibm.com/support/pages/node/7266709.
Remediation
Apply the patch released by IBM for QRadar SIEM 7.5.0, upgrading to a version beyond Update Package 14 as documented in the IBM support advisory (https://www.ibm.com/support/pages/node/7266709). This is the primary and recommended mitigation. Organizations unable to patch immediately should implement compensating controls by restricting local system access to QRadar servers to only necessary administrative and service accounts, enforcing filesystem permissions via SELinux or AppArmor to further restrict read access to QRadar configuration directories, and auditing local user accounts and SSH/console access to identify unauthorized access. Additionally, monitor QRadar configuration file access via host-based intrusion detection and ensure strong authentication for any local accounts that must retain access to the system. Patch deployment should be prioritized in the maintenance window as soon as feasible.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today