Kubernetes Image Builder Vulnerability Allows Root Access on Windows Nodes via Default Credentials

A critical security vulnerability has been discovered in the Kubernetes Image Builder project that could allow unauthorized root access to Windows nodes in Kubernetes clusters.

The vulnerability, designated CVE-2025-7342 with a high CVSS score of 8.1, affects virtual machine images built using specific providers and has prompted immediate action from the Kubernetes security team.

The vulnerability stems from default credentials that remain enabled during the image build process when using Kubernetes Image Builder’s Nutanix or OVA providers for Windows images.

These default credentials are not properly disabled in the resulting VM images, potentially allowing attackers to gain unauthorized root access to affected systems.

The security issue specifically impacts Windows nodes in Kubernetes clusters that utilize VM images created through the Image Builder project.

According to the vulnerability report, all versions of Kubernetes Image Builder up to and including v0.1.44 are affected when used with the Nutanix or OVA providers.

Notably, VMs built using other providers within the Image Builder ecosystem remain unaffected by this particular vulnerability.

The severity of this issue cannot be understated, as successful exploitation could grant attackers complete administrative control over affected Windows nodes.

This level of access could potentially compromise entire Kubernetes cluster operations, making it a critical concern for organizations running Windows workloads in their Kubernetes environments.

Kubernetes Image Builder Vulnerability

Organizations can determine their exposure to this vulnerability through several identification methods.

For users working with git clones of the image builder repository, running make version within the local repository path will reveal the current version. Those using tarball installations can execute grep -o v0\.[0-9.]* RELEASE.md | head -1 to extract version information.

Container image users can verify their version by running docker run --rm <image pull spec> version or examining the image tag directly.

Official images follow the naming convention registry.k8s.io/scl-image-builder/cluster-node-image-builder-amd64:v0.1.44, making version identification straightforward.

For detection of potentially compromised systems, administrators can use the PowerShell command Get-LocalUser -Name Administrator | Select-Object Name,Enabled,SID,Lastlogon | Format-List to examine Administrator account details.

Mitigations

The Kubernetes security team has released Image Builder version v0.1.45, which addresses the vulnerability by requiring users to explicitly specify passwords through the WINDOWS_ADMIN_PASSWORD environment variable or the admin_password JSON variable.

If neither is provided, the build process will fail with an error, preventing the creation of vulnerable images.

For immediate protection, organizations can change the Administrator account password on affected VMs using the command net user Administrator <new-password>.

However, the most comprehensive solution involves rebuilding all affected images using the fixed Image Builder version v0.1.45 and redeploying them to affected systems.

The vulnerability was discovered and reported by security researchers Abdel Adim Oisfi, Davide Silvetti, Nicolò Daprelà, Paolo Cavaglià, and Pietro Tirenna from Shielder.

Matt Boersma from the Image Builder project coordinated the fix and disclosure process, ensuring rapid remediation of this critical security issue.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

The post Kubernetes Image Builder Vulnerability Allows Root Access on Windows Nodes via Default Credentials appeared first on Cyber Security News.