A critical OS command injection vulnerability exists within the Chaos Controller Manager, identified as CVE-2025-59361. When combined with a separate vulnerability, this flaw allows an unauthenticated attacker within the same cluster to execute arbitrary code remotely, potentially leading to a complete compromise of the affected system and the surrounding containerized environment.

The vulnerability is an OS command injection flaw within the cleanIptables function of the Chaos Controller Manager. An attacker can craft malicious input that is not properly sanitized by the application. This input is then passed directly to a system shell for execution. When chained with CVE-2025-59358, an unauthenticated attacker located within the Kubernetes cluster can trigger this function, allowing them to execute arbitrary commands with the privileges of the Chaos Controller Manager process, resulting in remote code execution (RCE).

This vulnerability is rated as critical severity with a CVSS score of 9.8, posing a significant and immediate risk to the organization. Successful exploitation could lead to a complete compromise of the host system running the controller, enabling an attacker to steal sensitive data, deploy malware or ransomware, disrupt critical services, and pivot to other systems within the internal network. Given its location in a chaos engineering tool, a compromise could also severely impact the stability and integrity of the entire cluster environment it manages, leading to widespread operational outages.

Immediate Action: The primary remediation is to update all instances of Chaos Controller Manager to the latest secure version provided by the vendor. After patching, it is crucial to monitor systems for any signs of post-exploitation activity and review historical access logs for indicators of compromise.

Proactive Monitoring: Security teams should monitor for anomalous process execution originating from the Chaos Controller Manager process, such as unexpected shell commands (sh, bash, curl, wget). Scrutinize network traffic for unusual outbound connections from the controller's pod or node. Review Kubernetes API server audit logs for suspicious requests targeting the Chaos Controller Manager.

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Apply strict Kubernetes Network Policies to limit inbound and outbound network traffic to and from the Chaos Controller Manager pods to only essential communication.
• Utilize a runtime security solution to detect and block anomalous behavior, such as unexpected process execution or file modifications within the container.
• Enhance egress filtering to prevent the compromised component from connecting to attacker-controlled command-and-control servers.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the potential for complete system compromise, this vulnerability requires immediate attention. We strongly recommend that organizations prioritize the deployment of vendor-supplied patches to all affected systems without delay. Although there is no evidence of active exploitation, the public disclosure of this high-impact flaw makes it a likely target for future threat actor activity. All mitigation and monitoring efforts should be implemented urgently to protect critical infrastructure.