CVE-2025-64323 is a missing authorization vulnerability (CWE-862) affecting kgateway, a cloud-native API and AI gateway product. Versions 2.0.4 and earlier, as well as 2.1.0-agw-cel-rbac through 2.1.0-rc.2, do not enforce authentication on the xDS port, which is used for configuration management. This lack of access control allows any client with unrestricted network access to this port to query and retrieve sensitive configuration information. The exposed data includes certificate material, backend service configurations, routing rules, and cluster metadata, which could be leveraged by attackers for further network reconnaissance, lateral movement, or man-in-the-middle attacks. The vulnerability does not require any authentication or user interaction, but exploitation is limited to attackers who can reach the xDS port over the network, which is typically intended for internal or trusted network segments. The issue was addressed in kgateway versions 2.0.5 and 2.1.0 by implementing proper authorization checks on the xDS port. The CVSS v3.1 score is 5.3 (medium), reflecting the high confidentiality impact but no integrity or availability impact, and the requirement for high attack complexity due to network access restrictions. No known exploits are reported in the wild as of the publication date.

For European organizations, the exposure of sensitive configuration data through this vulnerability can lead to significant security risks. Confidentiality breaches of certificate data and backend service information could enable attackers to impersonate services, intercept or manipulate traffic, and gain unauthorized access to internal systems. This is particularly critical for organizations relying on kgateway for API management and AI service orchestration, where configuration data often includes sensitive routing and cluster metadata. The vulnerability could facilitate advanced persistent threats by providing attackers with detailed network topology and security configurations. Although the vulnerability does not directly impact system integrity or availability, the indirect consequences of compromised confidentiality could lead to broader security incidents. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and critical infrastructure, face increased compliance and reputational risks if exploited.

The primary mitigation is to upgrade kgateway to version 2.0.5 or 2.1.0 or later, where proper authorization controls on the xDS port are implemented. Until upgrades can be applied, organizations should restrict network access to the xDS port using network segmentation, firewall rules, or access control lists to limit exposure to trusted internal hosts only. Monitoring network traffic to detect unauthorized access attempts to the xDS port can provide early warning of exploitation attempts. Additionally, organizations should audit their kgateway configurations and certificate management practices to identify any potential exposure resulting from this vulnerability. Implementing strong network perimeter defenses and zero-trust principles around API gateway infrastructure will further reduce risk. Regular vulnerability scanning and penetration testing targeting internal network segments can help identify residual exposure.