Cyber Resilience

CVE-2025-24030

High

Published: 23 January 2025

Published
23 January 2025
Modified
04 September 2025
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
EPSS Score 0.0018 39.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24030 is a high-severity Unprotected Primary Channel (CWE-419) vulnerability in Envoyproxy Gateway. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 39.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-24030 is a path traversal vulnerability in Envoy Gateway, an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. It affects all versions of Envoy Gateway prior to 1.2.6, allowing unauthorized execution of commands on the Envoy Admin interface of managed proxies. The issue is classified under CWE-419 (Unrestricted Upload of File with Dangerous Type) with a CVSS v3.1 base score of 7.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H), highlighting high availability impact alongside low confidentiality risk.

A user with access to the Kubernetes cluster can exploit this vulnerability via a path traversal attack to invoke Envoy Admin interface commands on affected proxies. Successful exploitation enables termination of the Envoy process, causing denial of service, and extraction of the Envoy configuration, which may contain confidential data.

Version 1.2.6 of Envoy Gateway resolves the vulnerability. As a workaround, administrators can use the EnvoyProxy API to apply a bootstrap configuration patch that restricts Admin interface access strictly to the Prometheus stats endpoint. Additional details are available in the Envoy Gateway security advisory (GHSA-j777-63hf-hx76) and the fixing commit (3eb3301ab3dbf12b201b47bdb6074d1233be07bd), along with Envoy documentation on edge best practices and Admin interface operations.

EU & UK References

Vulnerability details

Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. A user with access to the Kubernetes cluster can use a path traversal attack to execute Envoy Admin interface commands on proxies…

more

managed by any version of Envoy Gateway prior to 1.2.6. The admin interface can be used to terminate the Envoy process and extract the Envoy configuration (possibly containing confidential data). Version 1.2.6 fixes the issue. As a workaround, the `EnvoyProxy` API can be used to apply a bootstrap config patch that restricts access strictly to the prometheus stats endpoint. Find below an example of such a bootstrap patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1489 Service Stop Impact
Adversaries may stop or disable services on a system to render those services unavailable to legitimate users.
T1602.002 Network Device Configuration Dump Collection
Adversaries may access network configuration files to collect sensitive data about the device and the network.
Why these techniques?

Path traversal via Prometheus metrics endpoint enables exploitation of the Envoy Admin interface (T1210), process termination (T1489), and extraction of proxy configuration data (T1602.002).

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0012: Valid AccountsAML.T0038AML.T0048: External Harms

CVEs Like This One

CVE-2026-22771Same product: Envoyproxy Gateway
CVE-2026-26330Same vendor: Envoyproxy
CVE-2026-26310Same vendor: Envoyproxy
CVE-2026-26308Same vendor: Envoyproxy
CVE-2025-30157Same vendor: Envoyproxy

Affected Assets

envoyproxy
gateway
≤ 1.2.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely remediation of the path traversal flaw by applying the fix in Envoy Gateway version 1.2.6 directly prevents exploitation of the vulnerability.

prevent

Establishing secure configuration settings, such as the bootstrap patch restricting Envoy Admin interface access to only the Prometheus stats endpoint, mitigates unauthorized command execution.

prevent

Validating inputs to prevent path traversal attacks directly addresses the core mechanism allowing execution of Envoy Admin commands.

References