CyberHappenings logo
☰

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Chaos Mesh GraphQL Vulnerabilities Enable Kubernetes Cluster Takeover

First reported
Last updated
πŸ“° 2 unique sources, 2 articles

Summary

Hide β–²

Multiple critical vulnerabilities in Chaos Mesh, an open-source cloud-native Chaos Engineering platform, allow attackers with minimal in-cluster network access to execute arbitrary code, perform denial-of-service attacks, and take over Kubernetes clusters. The flaws stem from insufficient authentication in the Chaos Controller Manager's GraphQL server, enabling unauthenticated attackers to run arbitrary commands on the Chaos Daemon. The vulnerabilities were disclosed on September 16, 2025, and were addressed in version 2.7.3 released on August 21, 2025. The vulnerabilities, collectively named Chaotic Deputy, include command injection flaws and an unauthenticated GraphQL server that can kill arbitrary processes in Kubernetes pods, leading to cluster-wide denial-of-service. Attackers can chain these vulnerabilities to perform remote code execution and escalate privileges across the cluster. Chaos Mesh is an incubating project within the Cloud Native Computing Foundation (CNCF).

Timeline

  1. 16.09.2025 19:23 πŸ“° 2 articles Β· ⏱ 1d ago

    Chaos Mesh GraphQL vulnerabilities disclosed

    Multiple critical vulnerabilities in Chaos Mesh were disclosed on September 16, 2025. The flaws, collectively named Chaotic Deputy, include command injection vulnerabilities and an unauthenticated GraphQL server that can kill arbitrary processes in Kubernetes pods. These vulnerabilities allow attackers with minimal in-cluster network access to perform remote code execution and take over Kubernetes clusters. The issues were addressed in Chaos Mesh version 2.7.3 released on August 21, 2025. The vulnerabilities were reported to the Chaos Mesh development team in early May 2025. The Chaos Controller Manager handles the scheduling and execution of chaos experiments. The vulnerabilities include three critical command injection flaws (CVE-2025-59360, CVE-2025-59361, and CVE-2025-59359) and one less severe denial-of-service vulnerability (CVE-2025-59358). The command injection flaws allow attackers to execute arbitrary OS commands on any pod within the cluster.

    Show sources

Information Snippets

Similar Happenings

Microsoft September 2025 Patch Tuesday fixes 81 vulnerabilities, including two zero-days

Microsoft released updates for 80 vulnerabilities on September 2025 Patch Tuesday. None of these vulnerabilities were zero-days. The updates address eight critical flaws, including five remote code execution vulnerabilities, one information disclosure, and two elevation of privilege vulnerabilities. The vulnerabilities span various categories: 38 elevation of privilege, 2 security feature bypass, 22 remote code execution, 14 information disclosure, 3 denial of service, and 1 spoofing. One zero-day vulnerability was fixed in Windows SMB Server. The updates also include hardening features for SMB Server to mitigate relay attacks, with recommendations for administrators to enable auditing. The patch includes 38 elevation of privilege vulnerabilities, the highest number among all categories. CVE-2025-54918 is an EoP vulnerability in Windows NT LAN Manager (NTLM) marked as critical. CVE-2025-54111 and CVE-2025-54913 are EoP flaws in Windows UI XAML, allowing privilege escalation via phished credentials or malicious Microsoft Store apps. CVE-2025-55232 is an RCE vulnerability in the Microsoft High Performance Compute (HPC) Pack with a CVSS score of 9.8. CVE-2025-54916 is an RCE vulnerability in Windows NTFS that can be triggered by authenticated users. Microsoft's patch update includes recommendations for preparing for the end-of-life of Windows 10 and mandatory multifactor authentication (MFA) for Azure in October 2025.

Security Risks in GitHub-hosted Code Across the Software Development Lifecycle

GitHub-hosted code introduces multiple risk vectors throughout the software development lifecycle (SDLC). These vectors create blind spots that attackers exploit, as seen in incidents like the tj-actions GitHub Action and XZ Utils compromises. Organizations often overlook these risks, focusing instead on scanning packaged dependencies from npm or PyPI. The risks span dependency management, container builds, Kubernetes deployments, configuration management, CI/CD automation, code organization, infrastructure provisioning, build tools, developer workflows, and cross-repository triggers. These vulnerabilities can lead to code execution with application privileges, environment variable exfiltration, and other malicious activities. To mitigate these risks, organizations must inventory GitHub references, standardize on pinned immutable references, implement integrity verification, and develop secure internal alternatives for common external dependencies.

Critical RADIUS Flaw in Cisco Secure Firewall Management Center Software

Cisco has released security updates for a critical vulnerability in Secure Firewall Management Center (FMC) Software. The flaw, CVE-2025-20265, allows unauthenticated remote attackers to execute arbitrary code on affected systems. The issue stems from improper handling of user input during the RADIUS authentication phase. The vulnerability impacts Cisco Secure FMC Software releases 7.0.7 and 7.7.0 with RADIUS authentication enabled. No workarounds are available other than applying the provided patches. The flaw was discovered by Brandon Sakai during internal security testing.

Vault Fault vulnerabilities in CyberArk and HashiCorp Vaults enable remote takeover

Over a dozen vulnerabilities, collectively named Vault Fault, have been discovered in CyberArk and HashiCorp enterprise secure vaults. These flaws allow remote attackers to bypass authentication, escalate privileges, and execute arbitrary code, potentially leading to the extraction of enterprise secrets and tokens. The vulnerabilities affect CyberArk Secrets Manager, Self-Hosted, Conjur Open Source, and HashiCorp Vault. The most severe issues permit remote code execution and vault takeover without valid credentials. These vulnerabilities have been addressed in recent updates, but some have existed for years. The flaws include authentication bypasses, impersonation, privilege escalation, and code execution pathways. The vulnerabilities can be chained to create sophisticated attack sequences, including bypassing multi-factor authentication (MFA) and exploiting lockout protection logic. These flaws can be weaponized to turn security features into ransomware vectors or create stealthy communication channels.