CVE-2025-29922
Published: 20 March 2025
Summary
CVE-2025-29922 is a critical-severity Improper Authorization (CWE-285) vulnerability. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 37.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates enforcement of approved authorizations for system resources, directly countering the improper authorization allowing unauthorized object creation/deletion via APIExport VirtualWorkspace.
Employs least privilege to restrict low-privileged attackers from performing high-impact cross-workspace operations despite the authorization bypass.
Requires timely remediation of identified flaws like CVE-2025-29922 through patching to kcp versions 0.26.3 or 0.27.0.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass in kcp APIExport VirtualWorkspace allows low-privileged remote attackers to create/delete objects in arbitrary workspaces without required APIBinding, directly enabling exploitation for privilege escalation.
NVD Description
kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.26.3, the identified vulnerability allows creating or deleting an object via the APIExport VirtualWorkspace in any arbitrary target workspace for pre-existing resources. By…
more
design, this should only be allowed when the workspace owner decides to give access to an API provider by creating an APIBinding. With this vulnerability, it is possible for an attacker to create and delete objects even if none of these requirements are satisfied, i.e. even if there is no APIBinding in that workspace at all or the workspace owner has created an APIBinding, but rejected a permission claim. A fix for this issue has been identified and has been published with kcp 0.26.3 and 0.27.0.
Deeper analysisAI
CVE-2025-29922 affects kcp, a Kubernetes-like control plane designed for form-factors and use-cases beyond Kubernetes and container workloads. In versions prior to 0.26.3, the vulnerability enables unauthorized creation or deletion of pre-existing objects via the APIExport VirtualWorkspace in any arbitrary target workspace. By design, such operations should only be permitted if the workspace owner explicitly grants access through an APIBinding, but this flaw allows them even without an APIBinding or if a permission claim has been rejected. It is rated at CVSS 9.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) and maps to CWE-285 (Improper Authorization).
A low-privileged remote attacker can exploit this vulnerability over the network with low complexity and no user interaction. By targeting the APIExport VirtualWorkspace mechanism, the attacker gains the ability to create or delete objects in arbitrary target workspaces, bypassing authorization controls and achieving high impacts on confidentiality and integrity across scoped boundaries.
The vulnerability has been addressed in kcp versions 0.26.3 and 0.27.0. Administrators should upgrade to these patched releases for mitigation. Additional details are available in the GitHub security advisory at GHSA-w2rr-38wv-8rrp, the fixing pull request #3338, and commit 614ecbf35f11db00f65391ab6fbb1547ca8b5d38.
Details
- CWE(s)