LiveActive security incident?Get immediate response
CVE Record

CVE-2021-25736: Windows kube-proxy LoadBalancer contention

Kube-proxy on Windows can unintentionally forward traffic to local processes listening on the same port (“spec.ports[*].port”) as a LoadBalancer Service when the LoadBalancer controller does not set the “status.loadBalancer.ingress[].ip” field. Clusters where the LoadBalancer controller sets the “status.loadBalancer.ingress[].ip” field are unaffected.

MediumCVSS 5.8Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

This issue affects Kubernetes clusters with Windows kube-proxy in a specific LoadBalancer configuration. Traffic meant for a LoadBalancer Service could be sent to a local Windows process listening on the same port. Clusters whose LoadBalancer controller sets status.loadBalancer.ingress[].ip are described as unaffected.

Executive priority

Treat as a targeted Kubernetes configuration risk, not a broad emergency. Prioritize clusters with Windows nodes and external LoadBalancer Services, especially where sensitive traffic is exposed or controller behavior is unknown.

Technical view

Windows kube-proxy can forward traffic to local processes bound to spec.ports[*].port when a LoadBalancer Service lacks status.loadBalancer.ingress[].ip. The CVSS vector indicates network reachability, high attack complexity, high privileges required, no user interaction, scope change, and high confidentiality impact.

Likely exposure

Exposure is limited to Kubernetes environments using Windows kube-proxy, LoadBalancer Services, and controllers that do not populate status.loadBalancer.ingress[].ip. Linux-only clusters or clusters with ingress IP populated are not indicated as affected by the provided sources.

Exploitation context

The source bundle does not show KEV listing or public active exploitation. Exploitation appears configuration-dependent and requires high privileges per CVSS. The main risk is unintended disclosure through traffic being routed to a local process on a Windows node.

Researcher notes

The provided CVE data names Kubernetes Windows kube-proxy behavior and the ingress IP condition, but does not include affected release ranges or fixed versions. Avoid expanding scope beyond Windows kube-proxy and the stated LoadBalancer status condition.

Mitigation direction

  • Check Kubernetes security announcement and vendor guidance for fixed or recommended versions.
  • Ensure LoadBalancer controllers populate status.loadBalancer.ingress[].ip where applicable.
  • Review Windows nodes for unnecessary local listeners on LoadBalancer Service ports.
  • Prioritize remediation for clusters exposing sensitive services through LoadBalancer Services.
  • Consult NetApp guidance only if relevant to your Kubernetes distribution or product stack.

Validation and detection

  • Inventory Kubernetes clusters using Windows nodes and kube-proxy.
  • List LoadBalancer Services and check whether status.loadBalancer.ingress[].ip is populated.
  • Identify Windows node processes listening on matching LoadBalancer Service ports.
  • Review controller behavior for Services whose ingress IP remains unset.
  • Confirm remediation status against Kubernetes and vendor advisories.
Prepared
Confidence
medium
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-114: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Container behavior lookup

The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2021-25736 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
5.8 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
4Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
5.8CVSS 3.1MediumCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N1.34Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

5.8Medium
CVSS 3.1 vector shape for CVE-2021-25736Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
KubernetesKubernetes0unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-114 · source CWE mapping

Process Control

Process Control represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.