CVE-2025-46599 is a vulnerability identified in the CNCF K3s lightweight Kubernetes distribution, specifically affecting version 1.32 prior to 1.32.4-rc1+k3s1. The issue arises from an insecure default initialization of the kubelet configuration, where the ReadOnlyPort is set to 10255 under certain conditions, such as during a default online installation. This port, when exposed, allows unauthenticated access to the kubelet's read-only API endpoint. The kubelet is a critical component in Kubernetes responsible for managing node-level operations and workloads. Exposure of the ReadOnlyPort without authentication can lead to unauthorized access to sensitive cluster information, including credentials and metadata about pods and nodes. Although the port is read-only, the information disclosed can facilitate further attacks, such as reconnaissance, privilege escalation, or lateral movement within the cluster. The vulnerability is classified under CWE-1188, which pertains to the initialization of a resource with an insecure default, indicating that the default configuration inadvertently exposes sensitive resources. There are no known exploits in the wild at the time of reporting, and no official patches have been linked yet, though a fixed version (1.32.4-rc1+k3s1) is indicated. The vulnerability was reserved and published on April 25, 2025, and is considered medium severity based on the information provided.

For European organizations utilizing K3s in their Kubernetes deployments, this vulnerability poses a significant risk to the confidentiality and integrity of their container orchestration environments. Unauthorized access to the kubelet's read-only API can expose cluster metadata, node information, and potentially sensitive credentials, which attackers can leverage to map the cluster topology and identify further attack vectors. This exposure can lead to increased risk of targeted attacks, data breaches, and disruption of services. Given the growing adoption of Kubernetes and K3s for edge computing, IoT, and lightweight cloud-native applications across Europe, especially in sectors like finance, manufacturing, and critical infrastructure, the impact could be substantial. Attackers exploiting this vulnerability could gain insights into cluster configurations, enabling them to craft more effective attacks or pivot within the network. While the vulnerability does not directly allow remote code execution or modification of workloads, the information disclosure can undermine the overall security posture and facilitate subsequent exploits.

1. Immediate upgrade to K3s version 1.32.4-rc1+k3s1 or later, where the insecure default has been corrected, should be prioritized. 2. Until patching is possible, explicitly disable or restrict access to the kubelet ReadOnlyPort (10255) by configuring firewall rules or network policies to block external access, limiting it to trusted administrative networks only. 3. Review and harden kubelet configurations to ensure that no unauthenticated endpoints are exposed, including verifying that ReadOnlyPort is disabled or secured. 4. Implement network segmentation and zero-trust principles around Kubernetes nodes to minimize exposure. 5. Monitor network traffic and logs for any unexpected access attempts to port 10255 and unusual kubelet API queries. 6. Conduct regular security audits and penetration testing focusing on Kubernetes cluster configurations and exposed services. 7. Educate DevOps and security teams about the risks associated with default configurations in Kubernetes distributions, emphasizing the need for secure baseline configurations.