Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2025-59824
CVE-2025-59824:
vulnerability analysis and mitigation
Overview
CVE-2025-59824 affects Omni, a Kubernetes management platform that operates on bare metal, virtual machines, or in cloud environments. The vulnerability was discovered in versions prior to 0.48.0, specifically in the Omni Wireguard SideroLink component. The issue was disclosed on September 24, 2025, and involves a potential security escape in the peer-to-peer (P2P) SideroLink connection that uses WireGuard for mutual authentication and authorization between Omni and Talos machines (GitHub Advisory).
Technical details
The vulnerability stems from incomplete packet validation in the WireGuard interface configuration. While Omni validates the source IP address of incoming packets to ensure they match the IPv6 address assigned to the Talos peer, it fails to perform validation on the packet's destination address. The system assigns a random IPv6 address to each Talos machine from a /64 network block, with Omni using a fixed ::1 address within the same block. This configuration oversight creates a potential security weakness in the peer-to-peer connection (GitHub Advisory). The vulnerability has been assigned a CVSS v4.0 score indicating LOW severity with a vector string of CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U (NVD).
Impact
The vulnerability presents two distinct attack scenarios depending on Omni's IP forwarding configuration. With IP forwarding disabled (default setting), an attacker on a Talos machine could potentially send packets over SideroLink to any listening service on Omni itself, including internal APIs. If Omni runs in host networking mode, services on the host machine could be targeted. When IP forwarding is enabled, an attacker could communicate with other machines connected to Omni or route packets deeper into Omni's network (GitHub Advisory).
Mitigation and workarounds
The vulnerability has been patched in Omni version 0.48.0 with commit a5efd816a239e6c9e5ea7c0d43c02c04504d7b60. For users unable to update immediately, recommended workarounds include disabling IP forwarding and implementing strict firewall rules (GitHub Advisory, GitHub Commit).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management