Home

Description

A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the Windows image build process when using the Nutanix or VMware OVA providers. These credentials, which allow root access, are disabled at the conclusion of the build. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project and the vulnerability was exploited during the build process, which requires an attacker to access the build VM and modify the image while the build is in progress.

PUBLISHED Reserved 2025-07-07 | Published 2025-08-17 | Updated 2025-08-20 | Assigner kubernetes




HIGH: 7.5CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

VM Images built via Nutanix or OVA providers

Problem types

CWE-798 Use of Hard-coded Credentials

Product status

Default status
unaffected

Any version
affected

0.1.45
unaffected

Credits

Abdel Adim Oisfi, Davide Silvetti, Nicolò Daprelà, Paolo Cavaglià, Pietro Tirenna from Shielder. reporter

References

groups.google.com/...ernetes-security-announce/c/tuEsLUQu_PA mailing-list

github.com/kubernetes/kubernetes/issues/133115 issue-tracking

cve.org (CVE-2025-7342)

nvd.nist.gov (CVE-2025-7342)

Download JSON