KubeVirt Virtual Machine Management Add-on for Kubernetes Vulnerability
CVE-2025-64432

4.7MEDIUM

Key Information:

Vendor

Kubevirt

Status
Kubevirt
Vendor
CVE Published:
7 November 2025

What is CVE-2025-64432?

A flaw in the authentication flow of KubeVirt, a virtual machine management add-on for Kubernetes, allows attackers to bypass Role-Based Access Control (RBAC) mechanisms. Specifically, the virt-api component does not properly authenticate clients when receiving API requests over mutual TLS (mTLS). This oversight arises from the failure to validate the Common Name (CN) field in client TLS certificates against the allowed values specified in the extension-apiserver-authentication configmap. Consequently, an attacker can impersonate the Kubernetes API server and directly communicate with the aggregated API server, sidestepping existing RBAC controls. The issue has been addressed in the KubeVirt versions 1.5.3 and 1.6.1.

Affected Version(s)

kubevirt < 1.5.3 < 1.5.3

kubevirt >= 1.6.0, < 1.6.1 < 1.6.0, 1.6.1

References

https://github.com/kubevirt/kubevirt/security/advisories/...
x_refsource_CONFIRM
https://github.com/kubevirt/kubevirt/commit/231dc69723f33...
x_refsource_MISC
https://github.com/kubevirt/kubevirt/commit/af2f08a9a186e...
x_refsource_MISC

CVSS V3.1

Score:
4.7
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-64432 : KubeVirt Virtual Machine Management Add-on for Kubernetes Vulnerability