Cilium, Incorrect Authorization, CVE-2025-30162 (Low)

Listen to this Post

The vulnerability, identified as CVE-2025-30162, is an Incorrect Authorization issue (CWE-863) found in Cilium, an eBPF-based networking and security solution . It specifically affects configurations where users employ the Gateway API for Ingress, use LB-IPAM or BGP for LoadBalancer services, and have network policies to block egress traffic between namespaces . In such setups, egress traffic from workloads that should be blocked by these policies is incorrectly allowed to reach LoadBalancers configured via Gateway resources . The flaw arises because the network policy enforcement fails to apply to this specific traffic path, effectively bypassing the intended security controls . This bypass is not triggered by LoadBalancers deployed outside the Gateway API configuration . The vulnerability impacts Cilium versions v1.15.0 to v1.15.14, v1.16.0 to v1.16.7, and v1.17.0 to v1.17.1 . It has been assigned a CVSS score of 3.2, indicating a low severity due to its high attack complexity and low confidentiality impact . The issue is fixed in versions v1.15.15, v1.16.8, and v1.17.2 .

DailyCVE Form:

Platform: Cilium
Version: 1.15.0-1.17.1
Vulnerability: Incorrect Authorization
Severity: Low (CVSS 3.2)
Date: March 24, 2025

Prediction: Patch already available

What Undercode Say:

Analytics:

The vulnerability has a CVSS score of 3.2, with a vector string of CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N . Its EPSS score is currently very low, at 0.01% . This indicates that while the vulnerability is real, exploitation in the wild is not currently widespread or automated . The scope is changed, meaning the vulnerable component impacts resources beyond its security scope, but the impact is limited to low confidentiality .

Exploit:

While no public proof-of-concept (PoC) is available at this time, the exploitation scenario is specific . An attacker with a compromised workload in a namespace that has an egress policy blocking access to another namespace could still send traffic to a LoadBalancer IP that resides in the target namespace, if that LoadBalancer was created through a Gateway resource . This would bypass the intended network policy restriction, allowing for potential network probing or data exfiltration to a service that was supposed to be isolated . The attack vector is local, requiring the attacker to already have a foothold on a workload within the cluster .

Protection from this CVE:

The primary protection is to upgrade Cilium to a patched version. The fixed versions are v1.15.15, v1.16.8, and v1.17.2 .
For those unable to upgrade immediately, a workaround exists using a Clusterwide Cilium Network Policy . The following policy can be applied to create a default deny for in-cluster traffic to the Cilium Ingress Gateway, while allowing external traffic :

apiVersion: "cilium.io/v2"
kind: CiliumClusterwideNetworkPolicy
metadata:
name: "cve-2025-30162-workaround"
spec:
endpointSelector:
matchExpressions:
- key: "reserved:ingress"
operator: Exists
ingress:
- fromEntities:
- world

This policy works by selecting the Cilium Ingress Gateway and explicitly allowing only traffic from the `world` (external) entity, thereby denying all in-cluster traffic that would have been affected by the bypass . Users should tailor this policy to their specific environment .

Impact:

Successful exploitation allows for the bypass of network policies designed to segment cluster traffic . This can lead to unauthorized east-west traffic flow between namespaces . The impact is primarily on the confidentiality of services in the target namespace, as a workload in a different namespace may be able to connect to a LoadBalancer service it should not have access to . There is no impact on integrity or availability from this specific flaw .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top