← volver
CVE-2025-64436

KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes

CVSS 6.9 MEDIUMEPSS 0.2%CWE-269CWE-276
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 6.9EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
07 nov 2025Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
KubeVirt is a virtual machine management add-on for Kubernetes. In 1.5.0 and earlier, the permissions granted to the virt-handler service account, such as the ability to update VMI and patch nodes, could be abused to force a VMI migration to an attacker-controlled node. This vulnerability could otherwise allow an attacker to mark all nodes as unschedulable, potentially forcing the migration or creation of privileged pods onto a compromised node.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Productos afectados
kubevirt · kubevirt

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/kubevirt/kubevirt/security/advisories/GHSA-7xgm-5prm-v5gc