CVE-2025-64434 — Improper Authentication in Kubevirt

CWE-287 — Improper Authentication CWE-295 — Improper Certificate Validation7 documents6 sources

Severity

6.3MEDIUMNVD

CNA4.7

EPSS

0.0%

top 98.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Kubevirt Kubevirt.io Kubevirt

Timeline

PublishedNov 7

Latest updateNov 17

Description

KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, due to the peer verification logic in virt-handler (via verifyPeerCert), an attacker who compromises a virt-handler instance, could exploit these shared credentials to impersonate virt-api and execute privileged operations against other virt-handler instances potentially compromising the integrity and availability of the VM managed by it. This vulnerability is fixed in 1.5.3 and 1.6.1.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:HExploitability: 1.0 | Impact: 5.2

Affected Packages3 packages

▶CVEListV5kubevirt/kubevirt< 1.5.3+1

▶NVDkubevirt/kubevirt< 1.5.3+1

▶Gokubevirt.io/kubevirt1.6.0-alpha.0 — 1.6.1+3

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

KubeVirt Improper TLS Certificate Management Handling Allows API Identity Spoofing in kubevirt.io/kubevirt↗2025-11-17

▶

CVEList

KubeVirt Improper TLS Certificate Management Handling Allows API Identity Spoofing↗2025-11-07

▶

GHSA

KubeVirt's Improper TLS Certificate Management Handling Allows API Identity Spoofing↗2025-11-06

▶

OSV

KubeVirt's Improper TLS Certificate Management Handling Allows API Identity Spoofing↗2025-11-06

▶

📋Vendor Advisories

Microsoft

KubeVirt Improper TLS Certificate Management Handling Allows API Identity Spoofing↗2025-11-11

▶

Red Hat

kubevirt: KubeVirt: API Identity Spoofing Vulnerability↗2025-11-07

▶