Primary

Context

Kubernetes Image Builder Nutanix and OVA Default Credentials Vulnerability on Windows VMs

Vulnerability

Patched

A vulnerability exists in Kubernetes Image Builder versions through v0.1.44, specifically when using the Nutanix or OVA provider, where default credentials are not disabled for Windows virtual machine images. This oversight can lead to unauthorized access via SSH, RDP, or WINRM, allowing root access to the affected nodes. Clusters are only vulnerable if their Windows nodes utilize these default credential images from the specified providers.

Impact

Exploitation of this vulnerability allows unauthorized users to access Windows nodes via default credentials, potentially leading to root access.

Remediation

To address this vulnerability, rebuild any affected images using Kubernetes Image Builder version v0.1.45 or later. After rebuilding, redeploy the updated images to any affected virtual machines. If an immediate upgrade is not possible, change the password of the Administrator account on affected VMs as a temporary measure.

Added: Aug 17, 2025, 11:19 PM

Updated: Aug 17, 2025, 11:19 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

4.7

remediation

7.9

relevance

0.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

4.7

remediation

7.9

relevance

0.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Kubernetes Image Builder Nutanix and OVA Default Credentials Vulnerability on Windows VMs

Vulnerability

Impact

Remediation

Affected Products

Kubernetes Image Builder

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating