A critical OS command injection vulnerability, identified as CVE-2025-59359, exists within the Chaos Controller Manager. When combined with a separate vulnerability (CVE-2025-59358), this flaw allows an unauthenticated attacker already within a Kubernetes cluster to execute arbitrary code remotely, potentially leading to a full system compromise. This represents a severe risk to the confidentiality, integrity, and availability of the affected cluster and its hosted applications.

The vulnerability is an OS command injection flaw in the cleanTcs mutation function of the Chaos Controller Manager. An attacker can craft malicious input that is not properly sanitized by the application. This input is then passed directly to a system shell for execution, allowing the attacker to run arbitrary commands with the privileges of the Chaos Controller Manager process. To achieve unauthenticated remote code execution, this vulnerability must be chained with CVE-2025-59358, which likely provides the initial access vector for an unauthenticated attacker within the cluster to reach the vulnerable function.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of the container or pod running the Chaos Controller Manager. This would grant an attacker a significant foothold within the Kubernetes cluster, from which they could attempt to escalate privileges, access sensitive data, deploy ransomware, disrupt critical services, or pivot to attack other internal network resources. The potential consequences include major data breaches, prolonged service outages, and significant reputational damage.

Immediate Action: Immediately update all instances of Chaos Controller Manager to the latest patched version as recommended by the vendor. After patching, continue to monitor for exploitation attempts and review access logs for any signs of compromise or unusual activity preceding the patching window.

Proactive Monitoring: Monitor logs from Chaos Controller Manager pods for suspicious process executions, such as calls to sh, bash, curl, wget, or other unexpected shell commands. Scrutinize network traffic for anomalous outbound connections from affected pods to unknown destinations. Implement alerts for high-CPU or unusual file modification events within the container.

Compensating Controls: If immediate patching is not feasible, implement strict Kubernetes NetworkPolicies to restrict all non-essential ingress and egress traffic to and from the Chaos Controller Manager pods. Employ a runtime security solution to detect and block anomalous process execution within the container. If the injection vector is web-based, an appropriately configured Web Application Firewall (WAF) may provide a temporary shield against exploitation attempts.

Public Exploit Available: false

Due to the critical severity (CVSS 9.8) of this vulnerability, we strongly recommend that organizations prioritize the immediate patching of all affected Chaos Controller Manager instances. The potential for unauthenticated remote code execution within a cluster environment presents an unacceptable risk. Although this CVE is not currently listed in the CISA KEV catalog, its characteristics make it a prime candidate for future inclusion, and it should be treated with the highest urgency. All remediation and monitoring actions should be initiated without delay.