CVE-2025-33120

Q: What is the severity of CVE-2025-33120?

CVE-2025-33120 has a CVSS score of 7.8 (HIGH). CVE-2025-33120 is a privilege escalation vulnerability in IBM QRadar SIEM where authenticated users can gain elevated privileges through a misconfigured cronjob that runs with unnecessary privileges. This affects IBM QRadar SIEM versions 7.5 through 7.5.0 UP13. Attackers with existing authenticated access can exploit this to gain higher privileges within the system.

7.8 HIGH

📋 TL;DR

CVE-2025-33120 is a privilege escalation vulnerability in IBM QRadar SIEM where authenticated users can gain elevated privileges through a misconfigured cronjob that runs with unnecessary privileges. This affects IBM QRadar SIEM versions 7.5 through 7.5.0 UP13. Attackers with existing authenticated access can exploit this to gain higher privileges within the system.

💻 Affected Systems

Products:

IBM QRadar SIEM

Versions: 7.5 through 7.5.0 UP13

Operating Systems: Linux-based QRadar appliances

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments within the affected version range are vulnerable unless patched.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker gains root/administrator privileges on the QRadar system, enabling complete system compromise, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Authenticated users (including low-privileged accounts) escalate to administrative privileges, allowing them to modify configurations, access sensitive data, and potentially deploy malware.

🟢

If Mitigated

With proper access controls and monitoring, exploitation would be detected and contained before significant damage occurs.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is relatively straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.5.0 UP14 or later

Vendor Advisory: https://www.ibm.com/support/pages/node/7242869

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Download and apply IBM QRadar SIEM 7.5.0 UP14 or later from IBM Fix Central. 3. Follow IBM's upgrade documentation. 4. Restart the system as required.

🔧 Temporary Workarounds

Restrict cronjob permissions

linux

Manually review and restrict permissions on cronjobs to run with minimal necessary privileges.

Review /etc/crontab and cron.d/* files
Modify cron entries to run with appropriate user privileges using 'su - user -c command'

🧯 If You Can't Patch

Implement strict access controls and monitor for privilege escalation attempts.
Segment QRadar systems and limit access to only necessary administrative users.

🔍 How to Verify

Check if Vulnerable:

Check QRadar version via Admin interface or command line. If version is between 7.5 and 7.5.0 UP13, system is vulnerable.

Check Version:

cat /opt/qradar/conf/product.conf | grep VERSION

Verify Fix Applied:

Verify QRadar version is 7.5.0 UP14 or later and check that cronjob permissions have been properly configured.

📡 Detection & Monitoring

Log Indicators:

Unusual privilege escalation events in QRadar logs
Unexpected cronjob executions with elevated privileges
Authentication logs showing users accessing privileged functions

Network Indicators:

Unusual outbound connections from QRadar system
Unexpected administrative protocol traffic

SIEM Query:

SELECT * FROM events WHERE devicetype='QRadar' AND (eventname LIKE '%privilege%' OR eventname LIKE '%cron%') AND severity >= 7

📊 Metadata

CVE ID: CVE-2025-33120

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-250

EPSS Score: 0.01% exploit probability (1.9th percentile)

Published: August 22, 2025

Last Updated: September 15, 2025

🔗 References

https://www.ibm.com/support/pages/node/7242869 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Qradar Incident Forensics by Ibm

Qradar Incident Forensics by Ibm

Qradar Incident Forensics by Ibm

Qradar Incident Forensics by Ibm

Qradar Incident Forensics by Ibm

Qradar Incident Forensics by Ibm

Qradar Incident Forensics by Ibm

Qradar Incident Forensics by Ibm

Qradar Incident Forensics by Ibm

Qradar Incident Forensics by Ibm

Qradar Incident Forensics by Ibm

Qradar Incident Forensics by Ibm

Qradar Incident Forensics by Ibm

Qradar Incident Forensics by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict cronjob permissions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities