CVE-2025-64432

CVSS v3.1

4.7

Medium

Vector

AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions KubeVirt versions 1.5.3 and below KubeVirt version 1.6.0

Description KubeVirt, a virtual machine management add-on for Kubernetes, has an issue in its authentication flow within the Kubernetes aggregation layer. The virt-api component does not properly authenticate clients receiving API requests over mTLS, specifically failing to validate the Common Name (CN) field in client TLS certificates against allowed values defined in the extension-apiserver-authentication configmap. This can allow an attacker to bypass Role-Based Access Control (RBAC) controls by communicating directly with the aggregated API server, potentially impersonating the Kubernetes API server and its aggregator component.

Recommendations Update to KubeVirt version 1.5.3 or later. Update to KubeVirt version 1.6.1 or later.

Exploit

Fix

Improper Authentication

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287CWE-295

Related Identifiers

AZL-69793

AZL-69890

CVE-2025-64432

GHSA-38JW-G2QX-4286

GO-2025-4103

OPENSUSE-SU-2026:20281-1

SUSE-SU-2025:4330-1

SUSE-SU-2026:20551-1

SUSE-SU-2026:20610-1

Affected Products

Kubevirt

Kubernetes

Suse

CVE-2025-64432

Weakness Enumeration

Related Identifiers

Affected Products

References · 44