CVE-2025-33093 in Sterling Partner Engagement Managerinfo

Summary

by MITRE • 05/07/2025

IBM Sterling Partner Engagement Manager 6.1.0, 6.2.0, 6.2.2 JWT secret is stored in public Helm Charts and is not stored as a Kubernetes secret.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 08/20/2025

The vulnerability identified as CVE-2025-33093 affects IBM Sterling Partner Engagement Manager versions 6.1.0, 6.2.0, and 6.2.2, presenting a critical security risk through improper handling of authentication credentials within containerized deployment environments. This issue manifests when JSON Web Token JWT secrets are inadvertently exposed in publicly accessible Helm charts rather than being properly secured as Kubernetes secrets, creating a significant attack surface that compromises the integrity of the authentication system.

The technical flaw stems from the improper configuration of credential storage mechanisms within the Helm chart deployment specifications. When JWT secrets are hardcoded or stored in plain text within Helm chart values files, these sensitive credentials become accessible to anyone with access to the Helm chart repository or the Kubernetes cluster configuration. This misconfiguration violates fundamental security principles for credential management and creates a pathway for unauthorized access to the partner engagement manager system. The vulnerability directly relates to CWE-798, which addresses the use of hard-coded credentials, and CWE-312, concerning the exposure of sensitive information through improper data handling.

The operational impact of this vulnerability extends beyond simple credential exposure, as it enables attackers to forge valid JWT tokens and gain unauthorized access to the Sterling Partner Engagement Manager system. This unauthorized access could potentially lead to data breaches, system compromise, and disruption of partner engagement processes. Attackers could exploit this weakness to impersonate legitimate users, access sensitive partner information, or manipulate engagement workflows, making this a particularly dangerous vulnerability in environments where partner data confidentiality is paramount. The attack surface is further expanded when considering that Helm charts are often stored in public repositories, increasing the likelihood of credential exposure.

Mitigation strategies for this vulnerability require immediate implementation of proper Kubernetes secret management practices. Organizations must ensure that all JWT secrets and other sensitive credentials are stored as Kubernetes secrets rather than being embedded in Helm chart values files. This approach aligns with the principle of least privilege and follows established security frameworks such as those recommended by the Center for Internet Security (CIS) benchmarks for Kubernetes deployments. The implementation should include automated secret management processes, regular credential rotation procedures, and comprehensive monitoring for unauthorized access attempts. Additionally, organizations should conduct thorough audits of their Helm chart repositories to identify and remediate any other instances of exposed credentials, ensuring compliance with security standards such as those outlined in the MITRE ATT&CK framework for cloud security. The remediation process must also include updating the affected IBM Sterling Partner Engagement Manager versions to the latest releases that address this specific credential handling issue.

Responsible

Ibm

Reservation

04/15/2025

Disclosure

05/07/2025

Moderation

accepted

CPE

ready

EPSS

0.00301

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!