Login Sign Up

CVE-2025-64432

4.7 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability in KubeVirt allows attackers to bypass RBAC controls by exploiting a flawed mTLS authentication implementation in the virt-api component. Attackers can impersonate the Kubernetes API server to gain unauthorized access to the aggregated API server. Users running KubeVirt versions 1.5.3 and below, or version 1.6.0 are affected.

💻 Affected Systems

Products:
  • KubeVirt
Versions: Versions 1.5.3 and below, and version 1.6.0
Operating Systems: Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments using the vulnerable versions with the virt-api component enabled are affected.

📦 What is this software?

Kubevirt by Kubevirt

View all CVEs affecting Kubevirt →

Kubevirt by Kubevirt

View all CVEs affecting Kubevirt →

Kubevirt by Kubevirt

View all CVEs affecting Kubevirt →

Kubevirt by Kubevirt

View all CVEs affecting Kubevirt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete cluster compromise through unauthorized access to virtual machine management APIs, potentially leading to data exfiltration, VM manipulation, or lateral movement within the Kubernetes environment.

🟠

Likely Case

Unauthorized access to KubeVirt APIs allowing attackers to view, modify, or delete virtual machine resources within the affected namespace.

🟢

If Mitigated

Limited impact with proper network segmentation and strict RBAC policies, though authentication bypass remains possible.

🌐 Internet-Facing: MEDIUM - While the vulnerability requires internal network access, internet-facing clusters with exposed APIs could be targeted.
🏢 Internal Only: HIGH - Internal attackers or compromised pods can exploit this vulnerability to bypass RBAC controls and gain elevated privileges.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires internal network access and knowledge of the Kubernetes cluster structure, but no authentication is needed once network access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions 1.5.3 and 1.6.1

Vendor Advisory: https://github.com/kubevirt/kubevirt/security/advisories/GHSA-38jw-g2qx-4286

Restart Required: Yes

Instructions:

1. Upgrade KubeVirt to version 1.5.3 or 1.6.1. 2. Update the KubeVirt CRD: kubectl apply -f https://github.com/kubevirt/kubevirt/releases/download/v1.5.3/kubevirt-operator.yaml (or v1.6.1). 3. Restart the virt-api pods: kubectl delete pods -n kubevirt -l kubevirt.io=virt-api.

🔧 Temporary Workarounds

Network Policy Restriction

linux

Restrict network access to virt-api pods using Kubernetes Network Policies

kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: restrict-virt-api
  namespace: kubevirt
spec:
  podSelector:
    matchLabels:
      kubevirt.io: virt-api
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: kube-system
    ports:
    - protocol: TCP
      port: 443
EOF

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate virt-api pods from untrusted networks
  • Enhance monitoring and alerting for unauthorized access attempts to virt-api endpoints

🔍 How to Verify

Check if Vulnerable:

Check KubeVirt version: kubectl get kubevirt.kubevirt.io/kubevirt -n kubevirt -o jsonpath='{.status.observedKubeVirtVersion}'

Check Version:

kubectl get kubevirt.kubevirt.io/kubevirt -n kubevirt -o jsonpath='{.status.observedKubeVirtVersion}'

Verify Fix Applied:

Verify version is 1.5.3 or 1.6.1 and check virt-api pod logs for successful TLS handshake validation

📡 Detection & Monitoring

Log Indicators:

  • Failed TLS certificate validation in virt-api logs
  • Unauthorized API requests to virt-api endpoints
  • Unexpected client certificate CN values in authentication logs

Network Indicators:

  • Unusual traffic patterns to virt-api pods from non-Kubernetes system components
  • Direct connections to virt-api bypassing the Kubernetes API server

SIEM Query:

source="kubevirt" "virt-api" AND ("authentication failed" OR "certificate validation error" OR "unauthorized request")

📊 Metadata

CVE ID: CVE-2025-64432
CVSS v3 Score: 4.7 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-287
EPSS Score: 0.01% exploit probability (2.2th percentile)
Published: November 7, 2025
Last Updated: November 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64432, you might also want to check these:

CVE-2024-27767 10.0

CVE-2024-27767 is an authentication bypass vulnerability that allows attackers to gain unauthorized ...

Same vulnerability type (CWE-287)
CVE-2026-24898 10.0

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx...

Same vulnerability type (CWE-287)
CVE-2026-20127 10.0

This critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager al...

Same vulnerability type (CWE-287)