A critical OS command injection vulnerability exists within the Chaos Controller Manager software. This flaw, identified as CVE-2025-59360, can be combined with another vulnerability to allow an unauthenticated attacker within the same cluster to execute arbitrary code remotely, potentially leading to a complete system compromise.

The killProcesses mutation within the Chaos Controller Manager is susceptible to an OS command injection attack. An attacker with access to the cluster can send a specially crafted request to this function, injecting malicious commands that are then executed with the privileges of the Chaos Controller Manager process. When chained with CVE-2025-59358, this vulnerability can be exploited by an unauthenticated attacker, escalating the attack from a local, authenticated vector to an unauthenticated remote code execution scenario within the cluster.

This vulnerability presents a critical risk to the organization, reflected by its CVSS score of 9.8. Successful exploitation grants an attacker the ability to execute remote code on the affected systems, leading to a full compromise of the application's container or pod. This could result in sensitive data exfiltration, service disruption, deployment of malware or ransomware, and lateral movement to compromise other parts of the Kubernetes cluster and corporate network.

Immediate Action: The primary remediation is to apply the security patches provided by the vendor. Organizations must update the Chaos Controller Manager to the latest version that addresses this vulnerability. After patching, it is crucial to monitor for any signs of post-exploitation activity and review access logs for suspicious requests targeting the killProcesses mutation.

Proactive Monitoring: Security teams should actively monitor for indicators of compromise. This includes looking for unusual or unexpected processes being spawned by the Chaos Controller Manager, reviewing logs for malformed API requests containing shell metacharacters (e.g., ;, |, &&), and monitoring for anomalous outbound network connections from the affected pods.

Compensating Controls: If immediate patching is not feasible, implement compensating controls to reduce the risk. Restrict network access to the Chaos Controller Manager API, enforce strict Role-Based Access Control (RBAC) policies to limit which users or service accounts can trigger mutations, and consider deploying a Web Application Firewall (WAF) or runtime security agent capable of detecting and blocking command injection attempts.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the potential for unauthenticated remote code execution, this vulnerability requires immediate attention. We strongly recommend that all affected instances of Chaos Controller Manager be patched to the latest version on an emergency basis. Due to the severity of the flaw, organizations should assume potential compromise and conduct a thorough investigation for any signs of malicious activity preceding the application of the patch.