CVE-2025-2241

HIGH 8.2

Hive: exposure of vcenter credentials via clusterprovision in hive / mce / acm

CVSS Score

8.2

EPSS Score

0.0%

EPSS Percentile

0th

A flaw was found in Hive, a component of Multicluster Engine (MCE) and Advanced Cluster Management (ACM). This vulnerability causes VCenter credentials to be exposed in the ClusterProvision object after provisioning a VSphere cluster. Users with read access to ClusterProvision objects can extract sensitive credentials even if they do not have direct access to Kubernetes Secrets. This issue can lead to unauthorized VCenter access, cluster management, and privilege escalation.

CWE	CWE-922
Published	Mar 17, 2025
Last Updated	Mar 18, 2026

Stay Ahead of the Next One

Get instant alerts for

Be the first to know when new high vulnerabilities are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

Red Hat / Multicluster Engine for Kubernetes

All versions affected

Red Hat / Red Hat Advanced Cluster Management for Kubernetes 2

All versions affected

References

NVD ↗ CVE.org ↗ EPSS Data ↗

access.redhat.com: https://access.redhat.com/security/cve/CVE-2025-2241 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2351350 github.com: https://github.com/openshift/hive/pull/2612

Credits

Red Hat would like to thank Eric Fried (REDHAT) for reporting this issue.