CVE-2025-29778

MediumPublic PoC

Published: 24 March 2025

Published

24 March 2025

Modified

01 August 2025

KEV Added

—

Patch

—

CVSS Score 5.8 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N

EPSS Score 0.0009 24.7th percentile

Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-29778 is a medium-severity Improper Authorization (CWE-285) vulnerability in Kyverno Kyverno. Its CVSS base score is 5.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Stealth (T1211); ranked at the 24.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Stealth (T1211) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-7 Software, Firmware, and Information Integrity good match

prevent

Requires integrity verification of software and information using approved methods, directly preventing deployment of unauthorized Kubernetes resources due to Kyverno's flawed signature checks ignoring subjectRegExp and IssuerRegExp.

CM-14 Signed Components good match

prevent

Mandates digital signing of components and signature verification prior to installation or execution, mitigating the improper authorization in Kyverno's keyless artifact verification.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of system flaws, such as patching Kyverno to version 1.14.0-alpha.1 to fix the signature verification bypass.

MITRE ATT&CK Enterprise TechniquesAI

T1211 Exploitation for Stealth Stealth

Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.

attack.mitre.org →

T1610 Deploy Container Execution

Adversaries may deploy a container into an environment to facilitate execution or evade defenses.

attack.mitre.org →

Why these techniques?

Vulnerability bypasses Kyverno signature verification (subjectRegExp/IssuerRegExp), enabling unauthorized container deployments (T1610) and defense evasion via policy bypass (T1211) with scope change to full cluster compromise.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

NVD Description

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to version 1.14.0-alpha.1, Kyverno ignores subjectRegExp and IssuerRegExp while verifying artifact's sign with keyless mode. It allows the attacker to deploy kubernetes resources with the artifacts that…

were signed by unexpected certificate. Deploying these unauthorized kubernetes resources can lead to full compromise of kubernetes cluster. Version 1.14.0-alpha.1 contains a patch for the issue.

Deeper analysisAI

CVE-2025-29778 is a vulnerability in Kyverno, a policy engine designed for cloud native platform engineering teams, affecting versions prior to 1.14.0-alpha.1. In keyless mode, Kyverno ignores the subjectRegExp and IssuerRegExp parameters during artifact signature verification. This improper authorization flaw, classified under CWE-285, enables the deployment of Kubernetes resources using artifacts signed by unexpected certificates.

Exploitation is possible over the network (AV:N) by attackers with high privileges (PR:H), though it requires high attack complexity (AC:H) and no user interaction (UI:N). Successful attacks allow deployment of unauthorized Kubernetes resources, resulting in high integrity impact (I:H), changed scope (S:C), and potential full compromise of the Kubernetes cluster.

Kyverno version 1.14.0-alpha.1 includes a patch for the issue, as detailed in the associated GitHub security advisory (GHSA-46mp-8w32-6g94), commit (8777672fb17bdf252bd2e7d8de3441e240404a60), and pull request (#12237). Practitioners should upgrade to the patched version to mitigate the vulnerability.

Details

CWE(s): CWE-285

Affected Products

kyverno

1.13.0 — 1.13.6

CVEs Like This One

CVE-2026-22039Same product: Kyverno Kyverno

CVE-2026-4789Same product: Kyverno Kyverno

CVE-2026-40868Same product: Kyverno Kyverno

CVE-2026-41323Same product: Kyverno Kyverno

CVE-2026-41485Same product: Kyverno Kyverno

CVE-2026-41068Same product: Kyverno Kyverno

CVE-2026-23881Same product: Kyverno Kyverno

CVE-2026-27912Shared CWE-285

CVE-2024-13646Shared CWE-285

CVE-2025-4521Shared CWE-285

References

https://github.com/Mohdcode/kyverno/blob/373f942ea9fa8b63140d0eb0e101b9a5f71033f3/pkg/cosign/cosign.go#L537
Product · security-advisories@github.com
https://github.com/kyverno/kyverno/commit/8777672fb17bdf252bd2e7d8de3441e240404a60
Patch · security-advisories@github.com
https://github.com/kyverno/kyverno/pull/12237
Issue Tracking · security-advisories@github.com
https://github.com/kyverno/kyverno/security/advisories/GHSA-46mp-8w32-6g94
Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/kyverno/policies/issues/1246
Exploit, Issue Tracking · security-advisories@github.com