CVE-2025-33093 is a high-severity vulnerability affecting IBM Sterling Partner Engagement Manager versions 6.1.0, 6.2.0, and 6.2.2. The vulnerability arises because the JWT (JSON Web Token) secret, which is critical for securing authentication tokens, is improperly stored within publicly accessible Helm Charts rather than being securely stored as a Kubernetes secret. Helm Charts are used to package and deploy Kubernetes applications, and if sensitive information such as JWT secrets is embedded in these charts and made public, attackers can easily retrieve these secrets. This exposure allows an attacker to potentially forge JWT tokens, bypass authentication mechanisms, and gain unauthorized access to the application or its data. The vulnerability is classified under CWE-260, which refers to the storage of passwords or secrets in configuration files without adequate protection. The CVSS 3.1 base score of 7.5 reflects a high severity due to the vulnerability's network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact is primarily on confidentiality, as the attacker can compromise authentication tokens, but integrity and availability are not directly affected. No known exploits are currently reported in the wild, but the public availability of the secret significantly lowers the barrier for exploitation once discovered. The absence of a patch link suggests that remediation may require manual intervention or configuration changes by administrators to move secrets into secure Kubernetes secrets and remove them from public Helm Charts.

For European organizations using IBM Sterling Partner Engagement Manager, this vulnerability poses a significant risk to the confidentiality of their partner engagement and supply chain data. Compromise of JWT secrets can lead to unauthorized access to sensitive business transactions, partner communications, and potentially confidential commercial information. Given the critical role of Sterling Partner Engagement Manager in managing B2B integrations and partner workflows, exploitation could disrupt business operations and damage trust relationships. Additionally, unauthorized access could lead to data leakage, regulatory non-compliance (e.g., GDPR violations due to exposure of personal data), and reputational harm. The ease of exploitation (no authentication or user interaction required) increases the threat level, especially for organizations that deploy Helm Charts publicly or do not follow Kubernetes best practices for secret management. The impact is heightened in sectors with stringent data protection requirements, such as finance, healthcare, and manufacturing, which are prevalent across Europe.

European organizations should immediately audit their deployments of IBM Sterling Partner Engagement Manager to identify if JWT secrets are exposed in public Helm Charts. The primary mitigation is to remove any sensitive secrets from Helm Chart templates and instead store them securely using Kubernetes Secrets, which encrypts and restricts access to sensitive data within the cluster. Organizations should implement strict access controls and RBAC policies to limit who can view or modify Kubernetes Secrets. Additionally, rotate the JWT secrets to invalidate any potentially compromised tokens. It is advisable to review and update CI/CD pipelines to ensure secrets are injected securely at deployment time rather than hardcoded in configuration files or charts. Monitoring and alerting should be enhanced to detect suspicious token usage or unauthorized access attempts. Finally, organizations should stay updated with IBM’s advisories for any official patches or updates addressing this vulnerability and apply them promptly.