CVE-2025-2241 HIGH

CVE-2025-2241: Hive: exposure of vcenter credentials via clusterprovision in hive / mce / acm

Vendor Red Hat
Product Multicluster Engine for Kubernetes
Weakness CWE-922
Published March 17, 2025
Last update March 18, 2026

CVSS base score

8.2/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

A flaw was found in Hive, a component of Multicluster Engine (MCE) and Advanced Cluster Management (ACM). This vulnerability causes VCenter credentials to be exposed in the ClusterProvision object after provisioning a VSphere cluster. Users with read access to ClusterProvision objects can extract sensitive credentials even if they do not have direct access to Kubernetes Secrets. This issue can lead to unauthorized VCenter access, cluster management, and privilege escalation.

Key dates

02Disclosure timeline

March 17, 2025 CVE published
March 18, 2026 Record updated