Cyber Resilience

CVE-2025-29778

MediumPublic PoC

Published: 24 March 2025

Published
24 March 2025
Modified
01 August 2025
KEV Added
Patch
CVSS Score v3.1 5.8 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N
EPSS Score 0.0008 24.3th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-29778 is a medium-severity Improper Authorization (CWE-285) vulnerability in Kyverno Kyverno. Its CVSS base score is 5.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Stealth (T1211); ranked at the 24.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-29778 is a vulnerability in Kyverno, a policy engine designed for cloud native platform engineering teams, affecting versions prior to 1.14.0-alpha.1. In keyless mode, Kyverno ignores the subjectRegExp and IssuerRegExp parameters during artifact signature verification. This improper authorization flaw, classified under CWE-285, enables the deployment of Kubernetes resources using artifacts signed by unexpected certificates.

Exploitation is possible over the network (AV:N) by attackers with high privileges (PR:H), though it requires high attack complexity (AC:H) and no user interaction (UI:N). Successful attacks allow deployment of unauthorized Kubernetes resources, resulting in high integrity impact (I:H), changed scope (S:C), and potential full compromise of the Kubernetes cluster.

Kyverno version 1.14.0-alpha.1 includes a patch for the issue, as detailed in the associated GitHub security advisory (GHSA-46mp-8w32-6g94), commit (8777672fb17bdf252bd2e7d8de3441e240404a60), and pull request (#12237). Practitioners should upgrade to the patched version to mitigate the vulnerability.

EU & UK References

Vulnerability details

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to version 1.14.0-alpha.1, Kyverno ignores subjectRegExp and IssuerRegExp while verifying artifact's sign with keyless mode. It allows the attacker to deploy kubernetes resources with the artifacts that…

more

were signed by unexpected certificate. Deploying these unauthorized kubernetes resources can lead to full compromise of kubernetes cluster. Version 1.14.0-alpha.1 contains a patch for the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1211 Exploitation for Stealth Stealth
Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.
T1610 Deploy Container Execution
Adversaries may deploy a container into an environment to facilitate execution or evade defenses.
Why these techniques?

Vulnerability bypasses Kyverno signature verification (subjectRegExp/IssuerRegExp), enabling unauthorized container deployments (T1610) and defense evasion via policy bypass (T1211) with scope change to full cluster compromise.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41485Same product: Kyverno Kyverno
CVE-2026-23881Same product: Kyverno Kyverno
CVE-2026-41323Same product: Kyverno Kyverno
CVE-2026-41068Same product: Kyverno Kyverno
CVE-2026-40868Same product: Kyverno Kyverno
CVE-2026-22039Same product: Kyverno Kyverno
CVE-2026-4789Same product: Kyverno Kyverno
CVE-2026-24835Shared CWE-285
CVE-2025-7778Shared CWE-285
CVE-2026-32716Shared CWE-285

Affected Assets

kyverno
kyverno
1.13.0 — 1.13.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires integrity verification of software and information using approved methods, directly preventing deployment of unauthorized Kubernetes resources due to Kyverno's flawed signature checks ignoring subjectRegExp and IssuerRegExp.

prevent

Mandates digital signing of components and signature verification prior to installation or execution, mitigating the improper authorization in Kyverno's keyless artifact verification.

prevent

Requires timely identification, reporting, and correction of system flaws, such as patching Kyverno to version 1.14.0-alpha.1 to fix the signature verification bypass.

References