CVE-2025-46599
📋 TL;DR
A configuration change in CNCF K3s versions 1.32.0 through 1.32.3 inadvertently enables the kubelet ReadOnlyPort (10255) in some scenarios, potentially exposing credentials via unauthenticated access. This affects K3s clusters where the default online installation behavior leaves this port accessible. Attackers could leverage this to gather sensitive information from exposed endpoints.
💻 Affected Systems
- CNCF K3s
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain unauthenticated access to kubelet ReadOnlyPort, extract credentials, pivot to compromise the entire Kubernetes cluster, and potentially access sensitive workloads or data.
Likely Case
Unauthenticated attackers access the ReadOnlyPort to gather cluster metadata, node information, and potentially credentials, enabling further reconnaissance or limited privilege escalation.
If Mitigated
With proper network segmentation and access controls, the exposed port remains inaccessible to attackers, limiting impact to internal network reconnaissance only.
🎯 Exploit Status
Exploitation requires network access to port 10255 on kubelet nodes. The vulnerability is straightforward to exploit once access is gained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.32.4-rc1+k3s1 and later
Vendor Advisory: https://github.com/k3s-io/k3s/issues/12164
Restart Required: Yes
Instructions:
1. Backup your K3s configuration and workloads. 2. Upgrade K3s to version 1.32.4-rc1+k3s1 or later using your preferred method (curl install, package manager, etc.). 3. Restart K3s services to apply the fix. 4. Verify the ReadOnlyPort is disabled.
🔧 Temporary Workarounds
Disable ReadOnlyPort via kubelet configuration
linuxManually disable the kubelet ReadOnlyPort by modifying the kubelet configuration to set readOnlyPort: 0
Edit /etc/rancher/k3s/config.yaml and add: kubelet-arg: "--read-only-port=0"
Restart k3s: sudo systemctl restart k3s
Block port 10255 with firewall
linuxUse host firewall rules to block access to port 10255 from unauthorized networks
sudo iptables -A INPUT -p tcp --dport 10255 -j DROP
sudo iptables -A INPUT -p udp --dport 10255 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate kubelet nodes from untrusted networks
- Deploy network monitoring to detect and alert on unauthorized access attempts to port 10255
🔍 How to Verify
Check if Vulnerable:
Check if port 10255 is listening on kubelet nodes: sudo ss -tlnp | grep 10255Check Version:
k3s --versionVerify Fix Applied:
Verify port 10255 is no longer listening after patch/configuration change: sudo ss -tlnp | grep 10255 should return empty📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to kubelet logs
- Authentication failures or missing authentication attempts on port 10255
Network Indicators:
- External IP addresses accessing port 10255
- High volume of requests to port 10255 from single sources
SIEM Query:
source_port=10255 AND (src_ip NOT IN [trusted_networks])🔗 References
- https://cloud.google.com/kubernetes-engine/docs/how-to/disable-kubelet-readonly-port
- https://github.com/f1veT/BUG/issues/2
- https://github.com/k3s-io/k3s/commit/097b63e588e3c844cdf9b967bcd0a69f4fc0aa0a
- https://github.com/k3s-io/k3s/compare/v1.32.3+k3s1...v1.32.4-rc1+k3s1
- https://github.com/k3s-io/k3s/issues/12164
