Kubernetes Image Builder Vulnerability Grants Root Access to Windows Nodes

A critical vulnerability in the Kubernetes Image Builder has been disclosed that allows attackers to gain root access on Windows nodes by exploiting default credentials embedded in virtual machine images.

Tracked as CVE-2025-7342, the flaw affects images built with the Nutanix or OVA providers in Kubernetes Image Builder versions v0.1.44 and earlier.

The issue stems from the image builder’s failure to disable default Windows Administrator credentials when users do not explicitly override them during the build process.

As a result, any cluster deploying Windows nodes from these unpatched images may be susceptible to unauthorized remote access.

Operators of Kubernetes clusters utilizing Windows VM images produced by the Image Builder project should immediately audit their images for embedded default credentials.

If these credentials remain unchanged, attackers with network access could log in as the Administrator account, escalate privileges, and potentially compromise the entire cluster.

Although Linux-based images and those generated by other providers are not affected, any mixed-environment cluster with vulnerable Windows nodes is at risk.

Security teams can determine the version of Image Builder in use by checking the build metadata, inspecting the release tag, or querying the running container image for its version string.

For installations based on source code, executing make version in the local image-builder repository reveals the version.

Containerized deployments may simply inspect the image tag, such as registry.k8s.io/scl-image-builder/cluster-node-image-builder-amd64:v0.1.44, to confirm vulnerability status.

Mitigation is straightforward: rebuild all affected Windows VM images using Image Builder release v0.1.45 or later, which requires an explicit specification of the WINDOWS_ADMIN_PASSWORD environment variable or the admin_password JSON parameter.

Clusters unable to rebuild immediately can temporarily neutralize the risk by manually resetting the Administrator password on each VM via the built-in Windows command line.

Once images have been regenerated and redeployed, the default-credential vector is eliminated and nodes will reject builds lacking a valid admin password.

Beyond patching, this incident underscores the importance of always specifying strong, unique credentials during automated image creation and integrating continuous validation into provisioning pipelines.

Teams that freeze on a particular image builder version should balance stability with security updates to avoid similar oversights in default configuration.

Organizations are encouraged to verify their image inventories, apply the updated builder release, and coordinate with security responders if any signs of exploitation are discovered.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now