CVE-2025-27095
📋 TL;DR
This vulnerability allows attackers with low-privileged JumpServer accounts to manipulate Kubernetes session configurations to redirect API requests to external servers they control. This enables interception of Kubernetes cluster tokens, potentially leading to unauthorized cluster access. Organizations running vulnerable JumpServer versions are affected.
💻 Affected Systems
- JumpServer
📦 What is this software?
Jumpserver by Fit2cloud
Jumpserver by Fit2cloud
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Kubernetes clusters through stolen admin tokens, enabling data exfiltration, resource hijacking, or deployment of malicious workloads.
Likely Case
Unauthorized access to Kubernetes clusters with permissions matching the intercepted token, potentially allowing privilege escalation within the cluster.
If Mitigated
Limited impact if proper network segmentation, token rotation, and least-privilege access controls are implemented.
🎯 Exploit Status
Requires authenticated access and knowledge of Kubernetes session manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.8.0 or 3.10.18
Vendor Advisory: https://github.com/jumpserver/jumpserver/security/advisories/GHSA-5q9w-f4wh-f535
Restart Required: Yes
Instructions:
1. Backup current JumpServer configuration and data. 2. Update to JumpServer 4.8.0 or 3.10.18 using your deployment method (Docker, source, or package). 3. Restart JumpServer services. 4. Verify functionality post-upgrade.
🔧 Temporary Workarounds
Disable Kubernetes Session Feature
allTemporarily disable Kubernetes session functionality in JumpServer to prevent exploitation.
Edit JumpServer configuration to disable Kubernetes session feature or restrict access via ACLs
Restrict Low-Privileged Access
allRemove Kubernetes session permissions from low-privileged JumpServer accounts.
Review and modify user/group permissions in JumpServer admin interface
🧯 If You Can't Patch
- Implement strict network controls to prevent JumpServer from communicating with unauthorized external servers
- Enable Kubernetes token rotation and auditing to detect unauthorized token usage
🔍 How to Verify
Check if Vulnerable:
Check JumpServer version via web interface or command: jumpserver --versionCheck Version:
jumpserver --version or check web interface /api/v1/settings/public/Verify Fix Applied:
Confirm version is 4.8.0 or higher (for v4) or 3.10.18 or higher (for v3)📡 Detection & Monitoring
Log Indicators:
- Unauthorized kubeconfig modifications
- Unexpected external API server connections from JumpServer
- Failed Kubernetes authentication attempts
Network Indicators:
- JumpServer connections to unexpected external IPs on Kubernetes API ports (typically 6443)
- Unusual outbound traffic patterns from JumpServer to non-cluster endpoints
SIEM Query:
source="jumpserver" AND (kubeconfig OR kubernetes) AND (modify OR redirect OR external)