CVE-2025-64323 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the kgateway product, a cloud-native API and AI gateway solution. Versions 2.0.4 and earlier, as well as versions from 2.1.0-agw-cel-rbac up to but not including 2.1.0, lack proper authentication controls on the xDS port. The xDS port is used for dynamic configuration delivery in service mesh and gateway environments. Due to missing authorization, any client with network access to this port can query and retrieve sensitive configuration data without authentication. This data includes certificate material, backend service information, routing rules, and cluster metadata, which could facilitate further attacks such as man-in-the-middle, service impersonation, or reconnaissance for lateral movement. The vulnerability has a CVSS 3.1 base score of 5.3 (medium severity), reflecting high confidentiality impact but no impact on integrity or availability. Exploitation requires network access but no privileges or user interaction. The vulnerability was publicly disclosed on November 7, 2025, and fixed in versions 2.0.5 and 2.1.0. No known exploits are reported in the wild as of the publication date. Given the nature of kgateway as a cloud-native API gateway, this vulnerability poses a risk to organizations relying on it for secure API management and AI service orchestration.

For European organizations, the exposure of sensitive configuration data can lead to significant confidentiality breaches. Attackers gaining access to certificate data could impersonate services or decrypt communications, undermining trust and security of internal and external APIs. Disclosure of backend service information and routing rules can facilitate targeted attacks, lateral movement, or service disruption attempts. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and critical infrastructure, face increased regulatory and reputational risks. The vulnerability could also impact cloud service providers and managed service operators using kgateway, potentially affecting multiple downstream customers. Although the vulnerability does not directly affect system integrity or availability, the indirect consequences of data exposure could lead to more severe attacks. The requirement for network access to the xDS port means that organizations with poorly segmented networks or exposed management interfaces are at higher risk.

Organizations should immediately upgrade kgateway to versions 2.0.5 or 2.1.0 or later to remediate the missing authorization issue. Until patching is complete, restrict network access to the xDS port using firewall rules, network segmentation, or zero-trust network controls to limit exposure to trusted management hosts only. Conduct audits of existing network configurations to ensure that the xDS port is not exposed to untrusted networks or the internet. Implement strict access controls and monitoring on API gateway management interfaces to detect unauthorized access attempts. Review and rotate any certificates or credentials that may have been exposed due to this vulnerability. Incorporate this vulnerability into incident response plans and threat hunting activities to identify potential exploitation. Finally, ensure that future deployments of kgateway or similar gateways enforce authentication and authorization by default on all management and configuration interfaces.