CVE-2025-33117 – This vulnerability in IBM QRadar SIEM allows pr... (How to Fix)

Q: What is the severity of CVE-2025-33117?

CVE-2025-33117 has a CVSS score of 9.1 (CRITICAL). This vulnerability in IBM QRadar SIEM allows privileged users to modify configuration files, enabling them to upload malicious autoupdate files that execute arbitrary commands. This affects IBM QRadar SIEM versions 7.5 through 7.5.0 Update Package 12. Attackers with existing privileged access could escalate privileges or maintain persistence.

📋 TL;DR

This vulnerability in IBM QRadar SIEM allows privileged users to modify configuration files, enabling them to upload malicious autoupdate files that execute arbitrary commands. This affects IBM QRadar SIEM versions 7.5 through 7.5.0 Update Package 12. Attackers with existing privileged access could escalate privileges or maintain persistence.

💻 Affected Systems

Products:

IBM QRadar SIEM

Versions: 7.5 through 7.5.0 Update Package 12

Operating Systems: Linux-based QRadar appliances

Default Config Vulnerable: ⚠️ Yes

Notes: Requires privileged user access (administrator or similar). Not exploitable by standard users.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root-level command execution, data exfiltration, and persistent backdoor installation across the QRadar environment.

🟠

Likely Case

Privileged users abusing legitimate access to execute unauthorized commands, potentially leading to data manipulation, lateral movement, or disabling security controls.

🟢

If Mitigated

Limited impact if proper access controls, file integrity monitoring, and least privilege principles are enforced on privileged accounts.

🌐 Internet-Facing: LOW - This requires privileged user access, typically not exposed directly to the internet.

🏢 Internal Only: HIGH - Internal privileged users (malicious insiders or compromised accounts) can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Requires privileged access but straightforward file modification and upload.

Exploitation requires existing privileged credentials or compromised privileged account.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply IBM QRadar SIEM 7.5.0 Update Package 13 or later

Vendor Advisory: https://www.ibm.com/support/pages/node/7237317

Restart Required: Yes

Instructions:

1. Download Update Package 13 or later from IBM Fix Central. 2. Follow IBM's QRadar update documentation for applying update packages. 3. Restart QRadar services as required by the update process.

🔧 Temporary Workarounds

Restrict configuration file permissions

linux

Limit write access to configuration files involved in autoupdate functionality to only essential administrative accounts.

chmod 644 /path/to/configuration/files
chown root:root /path/to/configuration/files

Implement file integrity monitoring

linux

Monitor critical configuration files for unauthorized changes using tools like AIDE, Tripwire, or OS-native auditing.

auditctl -w /path/to/configuration/files -p wa -k qradar_config

🧯 If You Can't Patch

Enforce strict least privilege: Review and restrict all privileged accounts to only necessary functions.
Implement robust monitoring: Monitor for configuration file changes and unusual autoupdate activities.

🔍 How to Verify

Check if Vulnerable:

Check QRadar version via Admin tab > System & License Management > Licensed Modules. If version is 7.5.0 through 7.5.0 UP12, system is vulnerable.

Check Version:

grep 'Version=' /opt/qradar/conf/about.properties | cut -d'=' -f2

Verify Fix Applied:

Verify version shows 7.5.0 Update Package 13 or later after patching. Check that configuration files have proper permissions.

📡 Detection & Monitoring

Log Indicators:

Unauthorized modifications to QRadar configuration files
Unusual autoupdate file uploads or executions
Privileged user activities outside normal patterns

Network Indicators:

Unexpected outbound connections from QRadar system post-configuration changes

SIEM Query:

source="QRadar" AND (event_name="FILE_MODIFIED" AND file_path="/opt/qradar/conf/*") OR (event_name="PROCESS_EXECUTION" AND process_name LIKE "%autoupdate%")

📊 Metadata

CVE ID: CVE-2025-33117

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-73

EPSS Score: 0.04% exploit probability (12.5th percentile)

Published: June 19, 2025

Last Updated: July 25, 2025

🔗 References

https://www.ibm.com/support/pages/node/7237317 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-33117, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict configuration file permissions

Implement file integrity monitoring

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities