CVE-2025-48710
BaseFortify
Publication date: 2025-06-04
Last updated on: 2025-06-04
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-441 | The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-48710 is a vulnerability in kro (Kube Resource Orchestrator) versions before 0.2.1 that allows users with permission to create or modify ResourceGraphDefinition (RGD) resources to supply arbitrary container images. This leads to a confused-deputy scenario where kro's controllers deploy and run attacker-controlled container images. As a result, an attacker with cluster-admin level permissions can cause unauthenticated remote code execution on Kubernetes cluster nodes by tricking kro into deploying malicious workloads via manipulated CustomResourceDefinitions (CRDs). The issue arises from insufficient monitoring of CRD modifications, bugs causing informer crash loops, and overly broad default permissions. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with cluster-admin permissions to deploy malicious container images within your Kubernetes cluster. This can lead to unauthenticated remote code execution on cluster nodes, potentially compromising the entire cluster infrastructure. Attackers could run reverse shells or other malicious payloads, leading to unauthorized access, data breaches, or disruption of services. The default broad permissions and bugs in kro's controller increase the risk of exploitation if proper RBAC controls and runtime monitoring are not in place. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can be done by monitoring for malicious activities such as reverse shell executions at runtime and analyzing permissions related to CRD creation and modification. Orca Securityβs platform can detect such malicious runtime activities. Additionally, monitoring Kubernetes audit logs for creation or modification of ResourceGraphDefinition (RGD) and CustomResourceDefinition (CRD) resources by users with cluster-admin or high privileges can help detect exploitation attempts. Specific commands to check for suspicious CRD modifications include: 1) kubectl get crd -o yaml to review CRDs, 2) kubectl get resourcegraphdefinitions -o yaml to inspect RGDs, and 3) kubectl logs for kro controllers to identify crash loops or unusual behavior. Also, reviewing RBAC permissions with kubectl get clusterrolebindings and kubectl get clusterroles can help identify overly broad permissions that could be exploited. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the patches released by kro maintainers to fix the bugs causing informer crash loops and insufficient monitoring. Restrict RBAC permissions to limit who can create or modify ResourceGraphDefinition and CustomResourceDefinition resources, avoiding granting cluster-admin or overly broad privileges unnecessarily. Implement runtime monitoring to detect malicious container activity such as reverse shells. Regularly audit Kubernetes resources and logs for suspicious changes. If possible, disable or limit the use of kro until patched and properly secured. [1]