Cyber Posture

CVE-2025-2241

High

Published: 17 March 2025

Published
17 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0004 12.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2241 is a high-severity Insecure Storage of Sensitive Information (CWE-922) vulnerability. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 12.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Unsecured Credentials (T1552). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the software flaw in Hive that exposes vCenter credentials in ClusterProvision objects after vSphere cluster provisioning.

AC-6 Least Privilege partial match
prevent

Enforces least privilege by restricting read access to sensitive ClusterProvision objects, limiting who can extract exposed vCenter credentials.

IA-5 Authenticator Management partial match
prevent

Requires management procedures to protect authenticator content like vCenter credentials from unauthorized disclosure in system resources such as ClusterProvision objects.

MITRE ATT&CK Enterprise TechniquesAI

T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
attack.mitre.org →
Why these techniques?

Vulnerability exposes vCenter credentials insecurely in ClusterProvision object, directly enabling extraction of unsecured credentials without needing Secrets access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A flaw was found in Hive, a component of Multicluster Engine (MCE) and Advanced Cluster Management (ACM). This vulnerability causes VCenter credentials to be exposed in the ClusterProvision object after provisioning a VSphere cluster. Users with read access to ClusterProvision…

more

objects can extract sensitive credentials even if they do not have direct access to Kubernetes Secrets. This issue can lead to unauthorized VCenter access, cluster management, and privilege escalation.

Deeper analysisAI

CVE-2025-2241, published on 2025-03-17, is a vulnerability in Hive, a component of Red Hat's Multicluster Engine (MCE) and Advanced Cluster Management (ACM). The flaw exposes vCenter credentials in the ClusterProvision object after provisioning a vSphere cluster. This allows users with read access to ClusterProvision objects to extract sensitive credentials without direct access to Kubernetes Secrets. It carries a CVSS score of 8.2 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N) and maps to CWE-922.

Attackers require low privileges (PR:L), specifically read access to ClusterProvision objects, and can exploit it over the network (AV:N) without user interaction (UI:N), though it demands high attack complexity (AC:H). Exploitation grants high confidentiality and integrity impacts (C:H/I:H) across a changed scope (S:C), enabling unauthorized vCenter access, cluster management, and privilege escalation.

Red Hat's security advisory at https://access.redhat.com/security/cve/CVE-2025-2241, Bugzilla entry https://bugzilla.redhat.com/show_bug.cgi?id=2351350, and the Hive fix in https://github.com/openshift/hive/pull/2612 provide details on patches and mitigation steps.

Details

CWE(s)
CWE-922

CVEs Like This One

CVE-2024-56113Shared CWE-922
CVE-2025-12539Shared CWE-922
CVE-2026-40868Shared CWE-922
CVE-2024-57546Shared CWE-922
CVE-2024-57436Shared CWE-922
CVE-2025-28244Shared CWE-922
CVE-2025-21299Shared CWE-922
CVE-2024-12315Shared CWE-922
CVE-2025-22984Shared CWE-922
CVE-2025-22983Shared CWE-922

References