How to fix CVE-2025-66623?

Within 24 hours: Identify all Strimzi deployments and their current versions in your Kubernetes/OpenShift environments. Within 7 days: Upgrade all affected Strimzi instances to version 0.49.1 or later, prioritizing production environments. Within 30 days: Conduct a secrets audit to determine if any sensitive data was accessed, rotate compromised credentials, and review Kafka Connect and MirrorMaker 2 service account permissions.

Is Kubernetes affected by CVE-2025-66623?

Strimzi versions 0.47.0 through 0.49.0 contain a privilege escalation vulnerability that exposes all Kubernetes Secrets within affected namespaces to Kafka Connect and MirrorMaker 2 operands.

CVE-2025-66623

EUVD-2025-201497 HIGH

2025-12-05 [email protected]

GHSA-xrhh-hx36-485q

7.4

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 17:08 euvd

EUVD-2025-201497

Analysis Generated

Mar 15, 2026 - 17:08 vuln.today

Patch Released

Mar 15, 2026 - 17:08 nvd

Patch available

CVE Published

Dec 05, 2025 - 19:15 nvd

HIGH 7.4

Description

Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 and prior to 0.49.1, in some situations, Strimzi creates an incorrect Kubernetes Role which grants the Apache Kafka Connect and Apache Kafka MirrorMaker 2 operands the GET access to all Kubernetes Secrets that exist in the given Kubernetes namespace. The issue is fixed in Strimzi 0.49.1.

Analysis

Technical Context

Information disclosure occurs when an application inadvertently reveals sensitive data to unauthorized actors through error messages, logs, or improper access controls. This vulnerability is classified as Information Exposure (CWE-200).

Affected Products

Affected products: Linuxfoundation Strimzi

Remediation

A vendor patch is available — apply it immediately. Implement proper access controls. Sanitize error messages in production. Review logging practices to avoid capturing sensitive data.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +37

POC: 0

Vendor Status

CVE-2025-66623 vulnerability details – vuln.today

Back

CVE-2025-66623

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

CVE-2025-66623

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code