CVE-2025-64715
📋 TL;DR
This CVE describes a misconfiguration vulnerability in Cilium where AWS security group IDs referenced in CiliumNetworkPolicies that don't exist or aren't attached to network interfaces may cause broader outbound access than intended. When the referenced security groups are invalid, the toCIDRset section of derived policies isn't generated, potentially allowing traffic to unintended destinations. Users running affected Cilium versions with AWS security group references in egress policies are affected.
💻 Affected Systems
- Cilium
📦 What is this software?
Cilium by Cilium
Cilium by Cilium
Cilium by Cilium
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized outbound network access from pods to unintended AWS resources or external destinations, potentially enabling data exfiltration or lateral movement.
Likely Case
Accidental policy misconfiguration leads to unintended network permissions, allowing pods to communicate with resources they shouldn't have access to.
If Mitigated
Limited impact if proper network segmentation and additional security controls are in place to restrict traffic beyond Cilium policies.
🎯 Exploit Status
Exploitation requires misconfigured CiliumNetworkPolicies with invalid AWS security group references. No authentication bypass needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.16.17, 1.17.10, or 1.18.4
Vendor Advisory: https://github.com/cilium/cilium/security/advisories/GHSA-38pp-6gcp-rqvm
Restart Required: Yes
Instructions:
1. Identify current Cilium version. 2. Upgrade to patched version (1.16.17, 1.17.10, or 1.18.4). 3. Restart Cilium components. 4. Verify policy behavior matches expectations.
🔧 Temporary Workarounds
No workarounds available
allThe vendor advisory states there are no workarounds for this issue.
🧯 If You Can't Patch
- Audit all CiliumNetworkPolicies using egress.toGroups.aws.securityGroupsIds to ensure referenced security groups exist and are properly attached
- Implement additional network controls (firewalls, security groups) to restrict outbound traffic beyond Cilium policies
🔍 How to Verify
Check if Vulnerable:
Check Cilium version and review CiliumNetworkPolicies for egress.toGroups.aws.securityGroupsIds usage with potentially invalid security group references.Check Version:
kubectl get pods -n kube-system -l k8s-app=cilium -o jsonpath='{.items[0].spec.containers[0].image}'Verify Fix Applied:
After upgrading, verify policies with AWS security group references generate proper toCIDRset sections and restrict traffic as intended.📡 Detection & Monitoring
Log Indicators:
- Cilium logs showing policy derivation failures or warnings about invalid security group references
Network Indicators:
- Unexpected outbound connections from pods that should be restricted by CiliumNetworkPolicies
SIEM Query:
source="cilium" AND ("securityGroupsIds" OR "toGroups" OR "policy derivation")🔗 References
- https://github.com/cilium/cilium/commit/a385856b59c8289cc7273fa3a3062bbf0ef96c97
- https://github.com/cilium/cilium/releases/tag/v1.16.17
- https://github.com/cilium/cilium/releases/tag/v1.17.10
- https://github.com/cilium/cilium/releases/tag/v1.18.4
- https://github.com/cilium/cilium/security/advisories/GHSA-38pp-6gcp-rqvm
