CVE-2025-6017

Rhacm: users with clusterreader role can see credentials from managed-clusters

CVSS 5.5 MEDIUMEPSS 0.1%CWE-359

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 5.5EPSS 0.1%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

02 Jul 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

A flaw was found in Red Hat Advanced Cluster Management through versions 2.10, before 2.10.7, 2.11, before 2.11.4, and 2.12, before 2.12.4. This vulnerability allows an unprivileged user to view confidential managed cluster credentials through the UI. This information should only be accessible to authorized users and may result in the loss of confidentiality of administrative information, which could be leaked to unauthorized actors.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected products

ocmRed Hat · Red Hat Advanced Cluster Management for Kubernetes 2

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://access.redhat.com/security/cve/CVE-2025-6017 https://bugzilla.redhat.com/show_bug.cgi?id=2372362