IBM Turbonomic Prometurbo agent versions 8.16.0 through 8.17.6 grant excessive cluster‑wide permissions, allowing an attacker that has compromised the operator or its service account to read all secrets without restriction. This flaw enables the exfiltration of sensitive credentials, escalates privileges, and can ultimately lead to complete cluster compromise. The vulnerability involves excessive privilege permissions, as specified by CWE‑269.

The affected product is IBM Turbonomic Prometurbo agent, with security issues identified in releases 8.16.0, 8.17.6, and any intermediary versions. It is inferred that any intermediary versions between 8.16.0 and 8.17.6 are affected, as not explicitly listed in the input. IBM has released version 8.18.0, which includes the necessary fixes; installation instructions for upgrading are provided in the IBM Turbonomic documentation. The vulnerability does not appear in any older or newer versions outside that range.

The CVSS score of 8.8 indicates a high severity, and the EPSS score is < 1%, but the lack of listing in the CISA KEV catalog suggests no publicly known exploits yet. The attack vector is inferred to be within the cluster; an attacker who gains the operator’s service account or decrypts credentials in the cluster can exploit this flaw. Once the attacker obtains unrestricted read access to secrets, they can exfiltrate credentials or elevate privileges to achieve full control of the cluster infrastructure.