Cyber Resilience

CVE-2025-41240

Critical

Published: 24 July 2025

Published
24 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0132 80.3th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-41240 is a critical-severity Files or Directories Accessible to External Parties (CWE-552) vulnerability. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2025-41240 is a critical exposure vulnerability affecting three Bitnami Helm charts that mount Kubernetes Secrets at the predictable filesystem path /opt/bitnami/*/secrets inside the web server document root. The flaw occurs when the default setting usePasswordFiles=true is enabled, causing the secrets to be written as files accessible via HTTP or HTTPS requests. This configuration affects containerized deployments that expose the application externally.

A remote unauthenticated attacker can exploit the issue by directly requesting specific URLs under the document root to retrieve sensitive credentials such as passwords or keys. Because the path is predictable and no authentication is required, successful exploitation grants full access to the mounted secrets, potentially allowing complete compromise of the affected application and its connected services.

The referenced GitHub Security Advisory GHSA-wgg9-9qgw-529w provides details on the affected charts and remediation steps. The EPSS score has remained flat at 0.0132 with no material increase since disclosure.

EU & UK References

Vulnerability details

Three Bitnami Helm charts mount Kubernetes Secrets under a predictable path (/opt/bitnami/*/secrets) that is located within the web server document root. In affected versions, this can lead to unauthenticated access to sensitive credentials via HTTP/S. A remote attacker could retrieve…

more

these secrets by accessing specific URLs if the application is exposed externally. The issue affects deployments using the default value of usePasswordFiles=true, which mounts secrets as files into the container filesystem.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Vulnerability exposes Kubernetes Secrets as predictable, HTTP-accessible files in the document root of a public-facing web application, directly enabling remote exploitation of the exposed service (T1190) and retrieval of unsecured credentials from files (T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2018-25164Shared CWE-552
CVE-2019-25709Shared CWE-552
CVE-2024-12917Shared CWE-552
CVE-2026-34392Shared CWE-552
CVE-2020-37082Shared CWE-552
CVE-2025-26525Shared CWE-552
CVE-2026-35446Shared CWE-552
CVE-2026-31216Shared CWE-552
CVE-2026-34361Shared CWE-552
CVE-2025-69428Shared CWE-552

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations and minimal information transfer for publicly accessible interfaces like web servers, directly preventing unauthenticated HTTP access to mounted Kubernetes Secrets in the document root.

prevent

Restricts access to publicly accessible content, mitigating exposure of sensitive credentials via predictable paths in the web server document root.

prevent

Establishes and enforces secure configuration settings, such as disabling usePasswordFiles=true in Bitnami Helm charts, to prevent mounting Secrets in web-accessible paths.

References