Kubernetes Image Builder: Default Credentials Enabled in Nutanix/OVA VM Images
CVE-2025-7342 Published on August 17, 2025
VM images built with Kubernetes Image Builder Nutanix or OVA providers use default credentials for Windows images if user did not override
A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the Windows image build process when using the Nutanix or VMware OVA providers. These credentials, which allow root access, are disabled at the conclusion of the build. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project and the vulnerability was exploited during the build process, which requires an attacker to access the build VM and modify the image while the build is in progress.
Vulnerability Analysis
CVE-2025-7342 is exploitable with network access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
Use of Hard-coded Credentials
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
Products Associated with CVE-2025-7342
Want to know whenever a new CVE is published for Kubernetes Image Builder? stack.watch will email you.
Affected Versions
Kubernetes Image Builder:- Before and including 0.1.44 is affected.
- Version 0.1.45 is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.