[Security Advisory] CVE-2025-7342: VM images built with Kubernetes Image Builder Nutanix or OVA providers use default credentials for Windows images if user did not override

6,449 views
Skip to first unread message

Rita Zhang

unread,
Jul 21, 2025, 7:32:37 PM 7/21/25
to kubernetes-announce, dev, kubernetes-sec...@googlegroups.com, kubernetes-security-discuss, distributo...@kubernetes.io

Hello Kubernetes Community,


A security issue was discovered in Kubernetes where an unauthorized user may be able to ssh/RDP/WINRM to a Windows node VM which uses a VM image built with the Kubernetes Image Builder project ( https://github.com/kubernetes-sigs/image-builder ).


For Windows images built with Nutanix, OVA, this issue has been rated High

( https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H )(8.1)


Am I vulnerable?


Clusters using virtual machine images built with Kubernetes Image Builder ( https://github.com/kubernetes-sigs/image-builder ) version v0.1.44 or earlier are affected.


CVE-2025-7342: VMs using Windows images built with Nutanix, OVA were confirmed vulnerable.


VMs using images built with all other providers are not affected.


Affected Versions

Kubernetes Image Builder versions <= v0.1.44


To determine the version of Image Builder you are using, use one of the following methods:

* For git clones of the image builder repository:
    cd <local path to image builder repo>

    make version

* For installations using a tarball download:
    cd <local path to install location>

    grep -o v0\\.[0-9.]* RELEASE.md | head -1

* For a container image release:

    docker run --rm <image pull spec> version
  or
    podman run --rm <image pull spec> version

  or look at the image tag specified, in the case of an official image such as registry.k8s.io/scl-image-builder/cluster-node-image-builder-amd64:v0.1.44


How do I mitigate this vulnerability?

Rebuild any affected images using a fixed version of Image Builder. Re-deploy the fixed images to any affected VMs or use image-builder v0.1.41 (February 2025) or later, and set the `admin_password` JSON variable.


Prior to upgrading, this vulnerability can be mitigated by changing the password of the Administrator account on affected VMs:

`net user Administrator <new-password>`


Fixed Versions


Kubernetes Image Builder versions >= v0.1.45


Detection


`Get-LocalUser -Name Administrator | Select-Object Name,Enabled,SID,Lastlogon | Format-List`


If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io


Additional Details


See the GitHub issues for more details: 

https://github.com/kubernetes/kubernetes/issues/133115


Acknowledgements


This vulnerability was reported by Abdel Adim Oisfi, Davide Silvetti, Nicolò Daprelà, Paolo Cavaglià, Pietro Tirenna from Shielder .


The issue was fixed and coordinated by Matt Boersma of the Image Builder project.


Thank You,


Rita Zhang on behalf of the Kubernetes Security Response Committee


Reply all
Reply to author
Forward
0 new messages