CVE-2025-32963 is a medium-severity vulnerability affecting versions of the MinIO Operator prior to 7.1.0. MinIO Operator is a Kubernetes-native tool that provides IAM (Identity and Access Management) authentication capabilities, specifically using Service Account Tokens (STS) for secure access control within Kubernetes clusters. The vulnerability arises from insufficient scoping of the `spec.audiences` field in the operator's configuration. If no audiences are explicitly specified, the operator defaults this field to the Kubernetes API server. This default behavior leads to tokens that are not properly scoped or restricted, allowing them to be replayed or reused against other internal systems that trust the Kubernetes API server's tokens. Essentially, the tokens issued can be used beyond their intended scope, potentially granting unauthorized access to internal services or resources that accept these tokens. This is classified under CWE-522, which refers to insufficiently protected credentials, highlighting that the tokens can be misused due to improper protection or scoping. The vulnerability does not require user interaction or authentication to exploit once an attacker has access to the token, and while no known exploits are currently in the wild, the risk remains significant in environments using affected MinIO Operator versions. The issue was addressed and patched in MinIO Operator version 7.1.0 by enforcing proper audience scoping to prevent token replay attacks across internal systems.

For European organizations leveraging Kubernetes clusters with MinIO Operator versions prior to 7.1.0, this vulnerability poses a risk of unauthorized lateral movement within internal networks. Attackers who gain access to a service account token could reuse it to access other internal services that trust the Kubernetes API server tokens, potentially leading to unauthorized data access, privilege escalation, or disruption of services. This could compromise the confidentiality and integrity of sensitive data managed within Kubernetes environments, especially in sectors with strict data protection requirements such as finance, healthcare, and government. The availability impact is moderate since exploitation could lead to unauthorized actions affecting service operations. Given the widespread adoption of Kubernetes and MinIO in cloud-native deployments across Europe, organizations running outdated MinIO Operator versions may face increased risk of internal breaches. The vulnerability's exploitation does not require user interaction but does require initial access to tokens, which could be obtained through other means such as insider threats or prior compromise. The lack of known exploits in the wild reduces immediate risk but does not eliminate the potential for targeted attacks, especially in high-value environments.

Upgrade all MinIO Operator deployments to version 7.1.0 or later, where the vulnerability has been patched by enforcing proper audience scoping. Audit Kubernetes clusters to identify any MinIO Operator instances running affected versions and prioritize their upgrade. Review and restrict the use of service account tokens within Kubernetes clusters, ensuring tokens have minimal privileges and are scoped to specific audiences. Implement network segmentation and strict access controls within internal environments to limit the impact of token replay attacks. Monitor Kubernetes audit logs and MinIO Operator logs for unusual token usage or access patterns that could indicate exploitation attempts. Use Kubernetes Pod Security Policies or equivalent mechanisms to restrict which pods can request tokens and limit token lifetimes where possible. Educate DevOps and security teams about the importance of specifying explicit audiences in token configurations to prevent token misuse.