[Security Advisory] CVE-2025-7342: VM images built with Kubernetes Image Builder Nutanix or OVA providers use default credentials for Windows images if user did not override

Security_k8s.io · July 21, 2025, 11:27pm

Hello Kubernetes Community,

A security issue was discovered in Kubernetes where an unauthorized user may be able to ssh/RDP/WINRM to a Windows node VM which uses a VM image built with the Kubernetes Image Builder project (https://github.com/kubernetes-sigs/image-builder).

For Windows images built with Nutanix, OVA, this issue has been rated High

(https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)(8.1)

Am I vulnerable?

Clusters using virtual machine images built with Kubernetes Image Builder (GitHub - kubernetes-sigs/image-builder: Tools for building Kubernetes disk images) version v0.1.44 or earlier are affected.

CVE-2025-7342: VMs using Windows images built with Nutanix, OVA were confirmed vulnerable.

VMs using images built with all other providers are not affected.

Affected Versions

Kubernetes Image Builder versions <= v0.1.44

To determine the version of Image Builder you are using, use one of the following methods:

For git clones of the image builder repository:
cd

make version

For installations using a tarball download:
cd

grep -o v0\.[0-9.]* RELEASE.md | head -1

For a container image release:

docker run --rm version
or
podman run --rm version

or look at the image tag specified, in the case of an official image such as registry.k8s.io/scl-image-builder/cluster-node-image-builder-amd64:v0.1.44

How do I mitigate this vulnerability?

Rebuild any affected images using a fixed version of Image Builder. Re-deploy the fixed images to any affected VMs or use image-builder v0.1.41 (February 2025) or later, and set the admin_password JSON variable.

Prior to upgrading, this vulnerability can be mitigated by changing the password of the Administrator account on affected VMs:

net user Administrator <new-password>

Fixed Versions

Kubernetes Image Builder versions >= v0.1.45

Detection

Get-LocalUser -Name Administrator | Select-Object Name,Enabled,SID,Lastlogon | Format-List

If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io

Additional Details

See the GitHub issues for more details:

https://github.com/kubernetes/kubernetes/issues/133115

Acknowledgements

This vulnerability was reported by Abdel Adim Oisfi, Davide Silvetti, Nicolò Daprelà, Paolo Cavaglià, Pietro Tirenna from Shielder.

The issue was fixed and coordinated by Matt Boersma of the Image Builder project.

Thank You,

Rita Zhang on behalf of the Kubernetes Security Response Committee

Topic	Replies	Views
[Security Advisory] CVE-2024-9486 and CVE-2024-9594: VM images built with Kubernetes Image Builder use default credentials Announcements	8834	October 14, 2024
[Security Advisory] CVE-2023-3955: Insufficient input sanitization on Windows nodes leads to privilege escalation Announcements	2057	August 23, 2023
[Security Advisory] CVE-2023-5528: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes Announcements	1532	November 14, 2023
[Security Advisory] CVE-2023-3893: Insufficient input sanitization on kubernetes-csi-proxy leads to privilege escalation Announcements	1626	August 23, 2023
[Security Advisory] CVE-2024-5321: Incorrect permissions on Windows containers logs Announcements	251	July 17, 2024

[Security Advisory] CVE-2025-7342: VM images built with Kubernetes Image Builder Nutanix or OVA providers use default credentials for Windows images if user did not override

Related topics