What is the CVSS score of CVE-2025-64432?

CVE-2025-64432 has a CVSS 3.1 base score of 4.7 (Medium). CVSS vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of Kubernetes are affected by CVE-2025-64432?

Organizations using KubeVirt should be aware of moderate risk from CVE-2025-64432, a improper authentication vulnerability rated CVSS 4.7. This could allow unauthorized access to protected resources.. A patch is available.

Is there a public PoC exploit available for CVE-2025-64432?

Yes, a public proof-of-concept exploit is available for CVE-2025-64432. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-64432?

During next maintenance window: Identify affected systems and apply vendor patches when convenient. Audit authentication configurations.

Kubernetes CVE-2025-64432

MEDIUM

Improper Authentication (CWE-287)

2025-11-07 security-advisories@github.com

Authentication Bypass Kubernetes Red Hat Suse Kubevirt

4.7

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:21 vuln.today

Patch released

Mar 28, 2026 - 19:21 nvd

Patch available

PoC Detected

Nov 25, 2025 - 15:56 vuln.today

Public exploit code

CVE Published

Nov 07, 2025 - 19:16 nvd

MEDIUM 4.7

DescriptionNVD

KubeVirt is a virtual machine management add-on for Kubernetes. Versions 1.5.3 and below, and 1.6.0 contained a flawed implementation of the Kubernetes aggregation layer's authentication flow which could enable bypass of RBAC controls. It was discovered that the virt-api component fails to correctly authenticate the client when receiving API requests over mTLS. In particular, it fails to validate the CN (Common Name) field in the received client TLS certificates against the set of allowed values defined in the extension-apiserver-authentication configmap. Failre to validate certain fields in the client TLS certificate may allow an attacker to bypass existing RBAC controls by directly communicating with the aggregated API server, impersonating the Kubernetes API server and its aggregator component. This issue is fixed in versions 1.5.3 and 1.6.1.

AnalysisAI

KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 4.7). Public exploit code available.

Technical ContextAI

This vulnerability is classified as Improper Authentication (CWE-287), which allows attackers to bypass authentication mechanisms to gain unauthorized access. KubeVirt is a virtual machine management add-on for Kubernetes. Versions 1.5.3 and below, and 1.6.0 contained a flawed implementation of the Kubernetes aggregation layer's authentication flow which could enable bypass of RBAC controls. It was discovered that the virt-api component fails to correctly authenticate the client when receiving API requests over mTLS. In particular, it fails to validate the CN (Common Name) field in the received client TLS certificates against the set of allowed values defined in the extension-apiserver-authentication configmap. Failre to validate certain fields in the client TLS certificate may allow an attacker to bypass existing RBAC controls by directly communicating with the aggregated API server, impersonating the Kubernetes API server and its aggregator component. This issue is fixed in versions 1.5.3 and 1.6.1. Affected products include: Kubevirt.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement multi-factor authentication, enforce strong password policies, use proven authentication frameworks.