Cyber Resilience

CVE-2023-43029

Medium

Published: 21 March 2025

Published
21 March 2025
Modified
17 August 2025
KEV Added
Patch
CVSS Score v3.1 6.8 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0006 19.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-43029 is a medium-severity Cleartext Storage of Sensitive Information in an Environment Variable (CWE-526) vulnerability in Ibm Storage Virtualize Plugin For Vsphere. Its CVSS base score is 6.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 19.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2023-43029 is a vulnerability in IBM Storage Virtualize vSphere Remote Plug-in versions 1.0 and 1.1 that could allow a remote user to obtain sensitive credential information after deployment. Classified under CWE-526, it carries a CVSS v3.1 base score of 6.8 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N), indicating medium severity with high confidentiality impact and changed scope.

The vulnerability can be exploited by a remote attacker who possesses high privileges (PR:H). Exploitation requires low attack complexity over the network with no user interaction, enabling the attacker to access sensitive credential information without impacting integrity or availability.

IBM has published a security advisory detailing the issue at https://www.ibm.com/support/pages/node/7228722.

EU & UK References

Vulnerability details

IBM Storage Virtualize vSphere Remote Plug-in 1.0 and 1.1 could allow a remote user to obtain sensitive credential information after deployment.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

The vulnerability involves cleartext storage of sensitive credentials (CWE-526) in the deployed plug-in, directly enabling adversaries to obtain unsecured credentials.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-14480Same vendor: Ibm
CVE-2026-40153Shared CWE-526
CVE-2026-5065Same vendor: Ibm
CVE-2024-27256Same vendor: Ibm
CVE-2026-45370Shared CWE-526
CVE-2025-1719Same vendor: Ibm
CVE-2025-13691Same vendor: Ibm
CVE-2025-13219Same vendor: Ibm
CVE-2025-36253Same vendor: Ibm
CVE-2014-6271Same product class: hypervisor / virtualization

Affected Assets

ibm
storage virtualize plugin for vsphere
1.0.0, 1.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely remediation of the software flaw in the vSphere plug-in that exposes sensitive credentials to remote high-privilege users.

prevent

Enforces least privilege to prevent high-privilege (PR:H) remote users from accessing sensitive credential information unless explicitly required.

prevent

Protects the management, storage, and handling of authenticators to prevent exposure of sensitive credential information post-deployment.

References