IBM Turbonomic Prometurbo agent versions 8.16.0 through 8.17.6 grant excessive cluster‑wide permissions, allowing an attacker that has compromised the operator or its service account to read all secrets without restriction. This flaw enables the exfiltration of sensitive credentials, escalates privileges, and can ultimately lead to complete cluster compromise. The vulnerability is a classic example of the category identified by CWE‑269, where misuse of privilege permissions exposes critical data.

The affected product is IBM Turbonomic Prometurbo agent, with security issues identified in releases 8.16.0, 8.17.6, and any intermediary versions. IBM has released version 8.18.0, which includes the necessary fixes; installation instructions for upgrading are provided in the IBM Turbonomic documentation. The vulnerability does not appear in any older or newer versions outside that range.

The CVSS score of 8.8 indicates a high severity, and while an EPSS score is not available, the lack of listing in the CISA KEV catalog suggests no publicly known exploits yet. The attack vector is inferred to be within the cluster; an attacker who gains the operator’s service account or decrypts credentials in the cluster can exploit this flaw. Once the attacker obtains unrestricted read access to secrets, they can exfiltrate credentials or elevate privileges to achieve full control of the cluster infrastructure.