CyberHappenings logo

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Chaos Mesh Vulnerabilities Enable Kubernetes Cluster Takeover

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Multiple critical vulnerabilities in Chaos Mesh, an open-source cloud-native Chaos Engineering platform, could enable remote code execution and full Kubernetes cluster takeover. The flaws, collectively named Chaotic Deputy, allow attackers with minimal in-cluster network access to execute arbitrary commands, steal tokens, and disrupt services. The issues stem from insufficient authentication in the Chaos Controller Manager's GraphQL server. Exploitation could lead to data exfiltration, service disruption, and lateral movement within the cluster. All vulnerabilities were patched in Chaos Mesh version 2.7.3, released on August 21, 2025. Chaos Mesh is an incubating project within the Cloud Native Computing Foundation (CNCF). The vulnerabilities were discovered by researchers at JFrog, who found that the flaws could facilitate access to Kubernetes service tokens across multiple pods, enabling privilege escalation and potential cluster takeover. The vulnerabilities are tied to the cleanTcs fault injection mechanism and can be exploited by attackers with initial access to execute arbitrary OS commands on any pod within the cluster.

Timeline

  1. 16.09.2025 19:23 2 articles · 13d ago

    Chaos Mesh vulnerabilities disclosed and patched

    On May 6, 2025, multiple critical vulnerabilities in Chaos Mesh were disclosed. These vulnerabilities, collectively named Chaotic Deputy, allow for remote code execution and full Kubernetes cluster takeover. The issues were patched in Chaos Mesh version 2.7.3, released on August 21, 2025. The vulnerabilities are tied to the cleanTcs fault injection mechanism and can be exploited by attackers with initial access to execute arbitrary OS commands on any pod within the cluster. The flaws could facilitate access to Kubernetes service tokens across multiple pods, enabling privilege escalation and potential cluster takeover. The Chaos Controller Manager handles scheduling and execution of chaos experiments, and the vulnerabilities were discovered by researchers at JFrog.

    Show sources

Information Snippets

Similar Happenings

ShadowV2 Botnet Exploits Misconfigured AWS Docker Containers for DDoS Attacks

The ShadowV2 botnet targets misconfigured Docker containers on Amazon Web Services (AWS) to deploy a Go-based malware, turning infected systems into nodes for a distributed denial-of-service (DDoS) botnet. This botnet is available for rent to conduct DDoS attacks, employing advanced techniques such as HTTP/2 Rapid Reset and bypassing Cloudflare's Under Attack mode. The botnet was detected on June 24, 2025, and is believed to be part of a DDoS-for-Hire service. The botnet uses a Python-based C2 framework hosted on GitHub Codespaces and a Go-based remote access trojan (RAT) for command execution and communication. The malware first spawns a generic setup container from an Ubuntu image, installs necessary tools, and then builds and deploys a live container. This approach may help avoid leaving forensic artifacts on the victim machine. The malware communicates with a C2 server to receive commands and conduct attacks. The botnet's dynamic container deployment allows highly configurable attacks while concealing activity behind cloud-native architecture. The botnet targets 24,000 IP addresses with port 2375 open, though not all are exploitable. The malware sends a heartbeat signal to the C2 server every second and polls for new attack commands every five seconds. The botnet is actively used, with observed commands to launch attacks against at least one website.

Microsoft September 2025 Patch Tuesday addresses 81 vulnerabilities, including two zero-days

Microsoft's September 2025 Patch Tuesday addresses 80 vulnerabilities, including one publicly disclosed flaw and eight critical vulnerabilities. The updates fix a range of issues, including privilege escalation, remote code execution, information disclosure, and denial-of-service vulnerabilities. The patches also cover a critical flaw in Azure Networking and address a new lateral movement technique dubbed BitLockMove. Additionally, security updates have been released by multiple vendors, including Adobe, Cisco, Google, and others. The September 2025 update includes 38 elevation of privilege (EoP) vulnerabilities. The two zero-day vulnerabilities are CVE-2025-55234 in Windows SMB Server and CVE-2024-21907 in Microsoft SQL Server. The SMB vulnerability is exploited through relay attacks, while the SQL Server flaw involves improper handling of exceptional conditions in Newtonsoft.Json. The updates also include hardening features for SMB Server to mitigate relay attacks, with recommendations for administrators to enable auditing to assess compatibility issues. The KB5065429 cumulative update for Windows 10 22H2 and 21H2 includes fourteen fixes or changes, addressing unexpected UAC prompts and severe lag and stuttering issues with NDI streaming software. The update enables auditing SMB client compatibility for SMB Server signing and SMB Server EPA, and includes an opt-in feature for administrators to allow outbound network traffic from Windows 10 devices. The September 2025 update includes 38 elevation of privilege (EoP) vulnerabilities. CVE-2025-55234 is an elevation of privilege vulnerability with a CVSS score of 8.8. CVE-2025-54918 in Windows NT LAN Manager (NTLM) is marked as critical and has a CVSS score of 8.8. CVE-2025-54111 and CVE-2025-54913 are EoP vulnerabilities in Windows UI XAML. CVE-2025-55232 in the Microsoft High Performance Compute (HPC) Pack has a CVSS score of 9.8. CVE-2025-54916 in Windows NTFS has a CVSS score of 7.8 and can be exploited through SMB or local parsing routines. Microsoft has released the final non-security preview update for Windows 10, version 22H2, which includes fixes for the out-of-box experience and SMBv1 protocol connectivity. The update improves the servicing stack, updating Windows 10 22H2 systems to build 19045.6396. The update includes fixes and quality improvements from the KB5065429 cumulative update, enabling support for IT administrators to deploy hardening measures for SMB. The update addresses an issue causing non-admin users to receive unexpected User Account Control (UAC) prompts and fixes delays or uneven audio and video performance issues with Network Device Interface (NDI) streaming. Microsoft will stop providing security updates for Windows 10 after October 14, 2025, and the Extended Security Updates (ESU) program is available for Windows 10 users to delay the switch to Windows 11. Individual customers in the European Economic Area (EEA) can enroll in the ESU program for free.

Critical vulnerabilities in SAP NetWeaver and related products addressed

SAP has released security updates addressing multiple vulnerabilities, including three critical flaws in NetWeaver and a high-severity issue in S/4HANA. The most severe, CVE-2025-42944, allows unauthenticated attackers to execute arbitrary OS commands via an insecure deserialization vulnerability in the RMI-P4 module. The second critical flaw, CVE-2025-42922, enables authenticated attackers to upload arbitrary files, potentially leading to full system compromise. The third critical vulnerability, CVE-2025-42958, allows unauthorized high-privileged users to access sensitive data and administrative functions. Additionally, a high-severity missing input validation bug in SAP S/4HANA (CVE-2025-42916) was patched, which could permit attackers to delete the content of arbitrary database tables. These vulnerabilities affect SAP NetWeaver, the foundation for various business applications like ERP, CRM, SRM, and SCM, widely deployed in large enterprise networks. The RMI-P4 port, used for internal SAP-to-SAP communication, may be exposed to wider networks due to misconfigurations. SAP products are frequent targets for high-value compromises due to their handling of mission-critical data. Earlier this month, a critical code injection vulnerability (CVE-2025-42957) was exploited in S/4HANA, Business One, and NetWeaver products. SAP has also updated security notes for other high-severity vulnerabilities in Business One, Landscape Transformation Replication Server, and S/4HANA.

SAP S/4HANA Command Injection Vulnerability CVE-2025-42957 Exploited in the Wild

A critical command injection vulnerability in SAP S/4HANA, tracked as CVE-2025-42957, is actively exploited in the wild. The flaw allows attackers with low-privileged user access to execute arbitrary ABAP code, potentially leading to full system compromise. The vulnerability affects both on-premise and Private Cloud editions of SAP S/4HANA. The flaw was patched in SAP's August 2025 updates, but exploitation has been observed. SecurityBridge Threat Research Labs, BleepingComputer, and Pathlock have reported active exploitation. Organizations are advised to apply patches, monitor logs for suspicious RFC calls or new admin users, implement SAP's Unified Connectivity framework (UCON) to restrict RFC usage, and take additional security measures to mitigate the risk.

WeepSteel Malware Deployed via Sitecore Zero-Day Exploit

Threat actors have exploited a zero-day vulnerability in Sitecore Experience Manager (XM) and Experience Platform (XP) to deliver WeepSteel malware. The flaw, tracked as CVE-2025-53690, affects versions prior to 9.0 and was exploited using a sample machine key from outdated deployment guides. The attack involved ViewState deserialization, internal reconnaissance, and the deployment of various open-source tools for persistence and lateral movement. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch the vulnerability by September 25, 2025. The vulnerability has a CVSS score of 9.0, indicating critical severity. The vulnerability was addressed by Sitecore, which has provided mitigation guidance and indicators of compromise (IoCs). The attacks were quickly disrupted, but they highlight the risks associated with using default or outdated configuration settings in web applications. The WeepSteel malware, a .NET assembly, enables the harvesting of system, network, and user information, which is then encrypted and exfiltrated to the attackers. The attackers also performed extensive reconnaissance and established multiple methods of persistence, including creating local administrator accounts and using Remote Desktop Protocol (RDP) for access. The flaw is not a bug in ASP.NET itself, but a misconfiguration vulnerability created by reusing publicly documented keys that were never meant for production. The attackers targeted the '/sitecore/blocked.aspx' endpoint, which contains an unauthenticated ViewState field, and achieved RCE under the IIS NETWORK SERVICE account. The malicious payload dropped was WeepSteel, a reconnaissance backdoor that gathers system, process, disk, and network information, disguising its exfiltration as standard ViewState responses. The attackers executed reconnaissance commands including whoami, hostname, tasklist, ipconfig /all, and netstat -ano. They also deployed Earthworm (a network tunneling and reverse SOCKS proxy), Dwagent (a remote access tool), and 7-Zip (for creating archives of stolen data). The attackers escalated privileges by creating local administrator accounts ('asp$', 'sawadmin'), cached credentials dumping, and attempted token impersonating via GoTokenTheft. Persistence was secured by disabling password expiration for these accounts, giving them RDP access, and registering Dwagent as a SYSTEM service. CVE-2025-53690 impacts Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud, up to version 9.0, when deployed using the sample ASP.NET machine key included in pre-2017 documentation. XM Cloud, Content Hub, CDP, Personalize, OrderCloud, Storefront, Send, Discover, Search, and Commerce Server are not impacted. Sitecore published a security bulletin in coordination with Mandiant's report, warning that multi-instance deployments with static machine keys are also at risk. The recommended actions for potentially impacted administrators are to immediately replace all static <machineKey> values in web.config with new, unique keys, and ensure the <machineKey> element inside web.config is encrypted. It is recommended to adopt regular static machine key rotation as an ongoing security measure. The exploitation of CVE-2025-53690 is part of a broader trend of ViewState attacks this year, including vulnerabilities in Gladinet's CentreStack, ConnectWise, and Microsoft SharePoint Server.