CVE-2025-2241HIGH 8.2EPSS p35.8%

CVE-2025-2241CVE-2025-2241

Description

A flaw was found in Hive, a component of Multicluster Engine (MCE) and Advanced Cluster Management (ACM). This vulnerability causes VCenter credentials to be exposed in the ClusterProvision object after provisioning a VSphere cluster. Users with read access to ClusterProvision objects can extract sensitive credentials even if they do not have direct access to Kubernetes Secrets. This issue can lead to unauthorized VCenter access, cluster management, and privilege escalation.

Scoring

CVSS 3.18.2 (HIGH)
VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
EPSS0.45% probability of exploitation · percentile 35.8% · 2026-06-18T12:00:27Z
Published2025-03-17
Last modified2026-04-15

Underlying weaknesses· 1

CWE-922

References

  1. https://access.redhat.com/security/cve/CVE-2025-2241
  2. https://bugzilla.redhat.com/show_bug.cgi?id=2351350
  3. https://github.com/openshift/hive/pull/2612

1

TypeTargetConfidenceTier
WeaknessInsecure Storage of Sensitive Informationcwe-9220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-41225
CVE
CVE-2026-53475
CVE
VMware vCenter Server Privilege Escalation Vulnerability
CVE
VMware vCenter Server Remote Code Execution Vulnerability
CVE
CVE-2026-22806
CVE
CVE-2025-37101
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.