A security flaw in IBM’s QRadar SIEM platform (versions 7.5 through 7.5.0 UP13 IF01) allows a privileged local user to modify configuration files without proper authorization. The issue is tracked as CVE-2025-0164 and results from improper permission assignment.
Main Takeaways
- The flaw is due to incorrect permissions on configuration directories and files, allowing privileged users to tamper with rules, logging, or settings.
- The vulnerability’s CVSS 3.1 base score is 2.3, reflecting a low-severity rating—because it requires local privileged access.
- IBM has released UP13 IF02 to fix the permissions issue; administrators should also limit who holds local admin rights and monitor the QRadar config folder.
This vulnerability stems from a CWE-732: Incorrect Permission Assignment for Critical Resource. In the affected QRadar versions, configuration files under /opt/qradar/conf and associated folders are writable by privileged users beyond the intended service account.
With local privileged access (e.g. a sysadmin or support engineer), an attacker—or a misbehaving insider—can alter logging rules, disable detection mechanisms, or otherwise manipulate QRadar’s behavior. These changes could persist until manually discovered and reversed and might skew audit trails or hide malicious activity.
Risk & Impact
- Who’s vulnerable: QRadar SIEM installations running 7.5 through 7.5.0 UP13 IF01.
- What is possible: Unauthorized modifications to configuration files, disabling detection or logging rules, or otherwise undermining the system’s integrity.
- Exploit prerequisites: The attacker must already have privileged local access. Remote exploitation is not in scope.
- Severity rating: CVSS 3.1 score of 2.3 (low) — the limited impact is due to the required level of access.
Mitigations & Recommendations
- Patch: Upgrade to QRadar 7.5.0 UP13 IF02, which corrects the permissions so only the QRadar service account can write the configuration files.
- Restrict admin privileges: Only allow trusted personnel to hold local administrator or system-level access on QRadar hosts.
- Monitor config folder: Set up alerts to detect changes in /opt/qradar/conf (or equivalent paths) and review file modifications regularly.
- Harden host security: Use file integrity monitoring, limit shell access, and enforce separation of duties to reduce the chance a privileged account is misused.
- Audit user roles: Regularly review who holds local privilege, especially on security monitoring systems, and ensure least privilege principles.
Mourad Maacha 
Leave a comment