Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: kubernetes (3 articles)Clear

Unpatched Argo CD flaw lets attackers take over Kubernetes clusters

Researchers at Synacktiv disclosed an unpatched flaw in Argo CD, the popular GitOps tool for deploying to Kubernetes, that can lead to full cluster takeover. The problem is in repo-server, the component that turns Git repository files into Kubernetes manifests: its internal gRPC service requires no authentication, so anyone who can reach it on the cluster network can send a crafted request and run commands. Synacktiv reported it about eighteen months ago, but there is still no fix and no CVE, so it went public to warn users. With no patch, the practical defense is network isolation using Kubernetes network policies.

Check
Check whether Kubernetes network policies restrict access to Argo CD's repo-server and Redis, using kubectl get networkpolicy across namespaces; Helm installs leave these policies off by default, exposing the ports cluster-wide.
Affected
Argo CD deployments where the repo-server's unauthenticated internal service is reachable from the wider cluster network; any workload that can reach it can run commands and take over the cluster.
Fix
Enable Kubernetes network policies so only Argo CD components can reach the repo-server and Redis ports, isolate Argo CD on the cluster network, and watch for an official fix to apply.

Azure Backup for AKS lets low-privileged Backup Contributors gain cluster-admin, Microsoft blocked CVE (VU#284781)

Microsoft has refused to issue a CVE for what an outside researcher and the CERT Coordination Center both describe as a privilege escalation in Azure Backup for Azure Kubernetes Service. The flaw lets a user holding only the low-privileged 'Backup Contributor' Azure role gain cluster-admin on AKS clusters, which Microsoft dismissed by saying the attacker 'already held administrator access.' CERT/CC validated the bug and tracked it as VU#284781. The researcher says Microsoft also tried to get MITRE to reject the submission as 'AI-generated content,' then quietly added new permission checks, suggesting a silent patch even as Microsoft says 'no product changes were made.'

Check
Audit Azure RBAC assignments on subscriptions hosting AKS clusters. Identify any users holding the 'Backup Contributor' role and verify they were intended to hold cluster-admin rights.
Affected
Azure Kubernetes Service clusters with Azure Backup for AKS enabled, where the 'Backup Contributor' role has been assigned. No CVE issued; CERT tracking ID VU#284781.
Fix
Restrict the 'Backup Contributor' role to trusted operators only. No vendor patch acknowledged; rely on least-privilege RBAC until Microsoft confirms a fix. Monitor MSRC for updates.

New Linux malware called 'Quasar Linux' targets developer laptops to steal credentials for npm, GitHub, AWS, and Docker - barely detected by antivirus

Trend Micro disclosed Quasar Linux (QLNX), a previously undocumented Linux remote access trojan designed for developer workstations and DevOps environments. The malware harvests credentials for npm, PyPI, GitHub, AWS, Docker, and Kubernetes - then uses them to publish trojanized packages to public registries. QLNX runs entirely fileless and in-memory, dynamically compiling its rootkit and PAM backdoor on the target host using gcc, then loading them via /etc/ld.so.preload for system-wide interception. Capabilities include a 58-command RAT, dual-layer rootkit, keylogging, SSH lateral movement, and peer-to-peer mesh networking. Only four security tools detect the binary as malicious.

Check
Hunt Linux developer machines and CI runners for /etc/ld.so.preload entries you didn't put there, /tmp/.X*-lock files outside legitimate X server use, and gcc invocations on hosts that don't normally compile code.
Affected
Linux developer workstations and DevOps environments with credential access to npm, PyPI, GitHub, AWS, Docker, or Kubernetes. Acute risk for organizations with developers running root-capable Linux desktops, particularly those whose CI/CD pipelines pull dependencies from public registries. Compromised credentials enable supply-chain attacks against the organization's own published packages.
Fix
Deploy Linux EDR with eBPF visibility on every developer machine and CI runner - QLNX hides from userland tools but eBPF-aware sensors detect the kernel-level rootkit. Restrict /etc/ld.so.preload modifications via auditd alerts. For high-risk developers: use ephemeral build environments (containers, VMs) that don't carry persistent credentials. Trend Micro published IoCs.