VCenter Credential Exposure in Multicluster Engine and Advanced Cluster Management
CVE-2025-2241

8.2HIGH

Key Information:

Vendor: Red Hat
Status: Multicluster Engine and Advanced Cluster Management
Vendor: CVE Published:; 17 March 2025

Summary

A significant flaw has been identified in Hive, part of the Multicluster Engine (MCE) and Advanced Cluster Management (ACM), that results in the exposure of VCenter credentials within the ClusterProvision object following the provisioning of a VSphere cluster. This vulnerability allows users with read access to ClusterProvision objects to extract sensitive VCenter credentials, even without direct access to Kubernetes Secrets. Such a flaw poses a risk of unauthorized VCenter access, potential cluster management compromises, and privilege escalation vulnerabilities.

References

https://access.redhat.com/security/cve/CVE-2025-2241

https://bugzilla.redhat.com/show_bug.cgi?id=2351350

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Mar 17, 2025