CVE-2025-61688 – Omni, a Kubernetes management platform, has an ... (How to Fix)

Q: What is the severity of CVE-2025-61688?

CVE-2025-61688 has a CVSS score of 8.6 (HIGH). Omni, a Kubernetes management platform, has an API vulnerability that can leak sensitive information. This affects all deployments using Omni versions before 1.1.5 or 1.0.2, potentially exposing credentials, tokens, or configuration data.

📋 TL;DR

Omni, a Kubernetes management platform, has an API vulnerability that can leak sensitive information. This affects all deployments using Omni versions before 1.1.5 or 1.0.2, potentially exposing credentials, tokens, or configuration data.

💻 Affected Systems

Products:

Omni

Versions: All versions before 1.1.5 and 1.0.2

Operating Systems: Linux, Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployment types: bare metal, virtual machines, and cloud environments.

📦 What is this software?

Omni by Siderolabs

View all CVEs affecting Omni →

Omni by Siderolabs

View all CVEs affecting Omni →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain access to administrative credentials, secrets, or sensitive configuration data, leading to complete cluster compromise and data exfiltration.

🟠

Likely Case

Unauthorized access to sensitive information like API tokens, service account credentials, or cluster configuration details that could be used for further attacks.

🟢

If Mitigated

Limited exposure of non-critical information if proper network segmentation and access controls are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires API access but appears straightforward based on advisory description.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.5 or 1.0.2

Vendor Advisory: https://github.com/siderolabs/omni/security/advisories/GHSA-77r9-w39m-9xh5

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Update Omni to version 1.1.5 (for main branch) or 1.0.2 (for stable branch). 3. Restart Omni services. 4. Verify the update was successful.

🔧 Temporary Workarounds

Restrict API Access

linux

Limit network access to Omni API endpoints using firewall rules or network policies.

iptables -A INPUT -p tcp --dport [OMNI_API_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [OMNI_API_PORT] -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate Omni API endpoints from untrusted networks
Enable audit logging for all API access and monitor for unusual patterns

🔍 How to Verify

Check if Vulnerable:

Check Omni version: omni version | grep -E '1\.0\.[0-1]|1\.1\.[0-4]'

Check Version:

omni version

Verify Fix Applied:

Verify version is 1.1.5 or higher: omni version | grep -E '1\.1\.[5-9]|1\.[2-9]' or for stable branch: omni version | grep -E '1\.0\.[2-9]|1\.[1-9]'

📡 Detection & Monitoring

Log Indicators:

Unusual API access patterns
Multiple failed authentication attempts followed by successful sensitive data requests

Network Indicators:

Unexpected external connections to Omni API endpoints
Traffic patterns indicating data exfiltration

SIEM Query:

source="omni" AND (event_type="api_access" AND sensitive_resource=true) AND src_ip NOT IN [trusted_ips]

📊 Metadata

CVE ID: CVE-2025-61688

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CWE: CWE-200

EPSS Score: 0.06% exploit probability (18.5th percentile)

Published: October 13, 2025

Last Updated: December 4, 2025

🔗 References

https://github.com/siderolabs/omni/security/advisories/GHSA-77r9-w39m-9xh5 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-61688, you might also want to check these: