CVE-2025-33020 is a medium-severity vulnerability identified in IBM Engineering Systems Design Rhapsody versions 9.0.2, 10.0, and 10.0.1. The vulnerability is classified under CWE-311, which pertains to the missing encryption of sensitive data during transmission. Specifically, the affected versions of Rhapsody transmit sensitive information over the network without applying adequate encryption mechanisms. This lack of encryption exposes the data to interception by unauthorized parties, potentially allowing attackers to capture highly sensitive information. The CVSS v3.1 base score is 5.9, reflecting a medium severity level. The vector string (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) indicates that the attack vector is network-based (AV:N), requires high attack complexity (AC:H), no privileges (PR:N), no user interaction (UI:N), unchanged scope (S:U), with high impact on confidentiality (C:H), but no impact on integrity (I:N) or availability (A:N). The vulnerability does not require authentication or user interaction, but the high attack complexity suggests that exploitation is not trivial and may require specific conditions or capabilities. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability affects the confidentiality of transmitted data, which could include design specifications, intellectual property, or other sensitive engineering information critical to organizations using IBM Rhapsody for systems design and modeling.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive engineering and design data transmitted using IBM Engineering Systems Design Rhapsody. Organizations in sectors such as automotive, aerospace, defense, and industrial manufacturing, which heavily rely on systems engineering tools like Rhapsody, could face exposure of proprietary designs and intellectual property. The interception of unencrypted data could lead to industrial espionage, loss of competitive advantage, or leakage of regulated information subject to GDPR and other data protection laws. While the vulnerability does not affect data integrity or system availability, the confidentiality breach alone can have severe reputational and financial consequences. Given the high attack complexity, exploitation may be limited to sophisticated threat actors with network access, such as insider threats or advanced persistent threats (APTs). However, the lack of encryption in network communications remains a critical security gap that undermines trust in the affected product's security posture.

European organizations using IBM Engineering Systems Design Rhapsody versions 9.0.2, 10.0, and 10.0.1 should immediately assess their exposure to this vulnerability. Since no patches are currently available, organizations should implement compensating controls such as enforcing the use of secure VPN tunnels or encrypted communication channels (e.g., TLS) at the network layer to protect data in transit. Network segmentation should be applied to isolate Rhapsody communication flows from untrusted networks. Monitoring network traffic for unencrypted sensitive data transmissions can help detect potential exploitation attempts. Additionally, organizations should review and restrict network access to Rhapsody servers and clients, limiting it to trusted personnel and systems. Engaging with IBM support to obtain updates on patch availability and applying them promptly once released is critical. Finally, organizations should conduct security awareness training to highlight the risks of transmitting sensitive data without encryption and encourage reporting of suspicious network activity.