Listen to this Post
The vulnerability, identified as CVE-2025-30162, is an Incorrect Authorization issue (CWE-863) found in Cilium, an eBPF-based networking and security solution . It specifically affects configurations where users employ the Gateway API for Ingress, use LB-IPAM or BGP for LoadBalancer services, and have network policies to block egress traffic between namespaces . In such setups, egress traffic from workloads that should be blocked by these policies is incorrectly allowed to reach LoadBalancers configured via Gateway resources . The flaw arises because the network policy enforcement fails to apply to this specific traffic path, effectively bypassing the intended security controls . This bypass is not triggered by LoadBalancers deployed outside the Gateway API configuration . The vulnerability impacts Cilium versions v1.15.0 to v1.15.14, v1.16.0 to v1.16.7, and v1.17.0 to v1.17.1 . It has been assigned a CVSS score of 3.2, indicating a low severity due to its high attack complexity and low confidentiality impact . The issue is fixed in versions v1.15.15, v1.16.8, and v1.17.2 .
DailyCVE Form:
Platform: Cilium
Version: 1.15.0-1.17.1
Vulnerability: Incorrect Authorization
Severity: Low (CVSS 3.2)
Date: March 24, 2025
Prediction: Patch already available
What Undercode Say:
Analytics:
The vulnerability has a CVSS score of 3.2, with a vector string of CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N . Its EPSS score is currently very low, at 0.01% . This indicates that while the vulnerability is real, exploitation in the wild is not currently widespread or automated . The scope is changed, meaning the vulnerable component impacts resources beyond its security scope, but the impact is limited to low confidentiality .
Exploit:
While no public proof-of-concept (PoC) is available at this time, the exploitation scenario is specific . An attacker with a compromised workload in a namespace that has an egress policy blocking access to another namespace could still send traffic to a LoadBalancer IP that resides in the target namespace, if that LoadBalancer was created through a Gateway resource . This would bypass the intended network policy restriction, allowing for potential network probing or data exfiltration to a service that was supposed to be isolated . The attack vector is local, requiring the attacker to already have a foothold on a workload within the cluster .
Protection from this CVE:
The primary protection is to upgrade Cilium to a patched version. The fixed versions are v1.15.15, v1.16.8, and v1.17.2 .
For those unable to upgrade immediately, a workaround exists using a Clusterwide Cilium Network Policy . The following policy can be applied to create a default deny for in-cluster traffic to the Cilium Ingress Gateway, while allowing external traffic :
apiVersion: "cilium.io/v2" kind: CiliumClusterwideNetworkPolicy metadata: name: "cve-2025-30162-workaround" spec: endpointSelector: matchExpressions: - key: "reserved:ingress" operator: Exists ingress: - fromEntities: - world
This policy works by selecting the Cilium Ingress Gateway and explicitly allowing only traffic from the `world` (external) entity, thereby denying all in-cluster traffic that would have been affected by the bypass . Users should tailor this policy to their specific environment .
Impact:
Successful exploitation allows for the bypass of network policies designed to segment cluster traffic . This can lead to unauthorized east-west traffic flow between namespaces . The impact is primarily on the confidentiality of services in the target namespace, as a workload in a different namespace may be able to connect to a LoadBalancer service it should not have access to . There is no impact on integrity or availability from this specific flaw .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

