Ddos 
The SUSE Rancher Security team has issued an urgent advisory regarding a high-severity vulnerability in Rancher, the industry-leading open-source container management platform. Tracked as CVE-2026-25705 with a CVSS score of 8.4, the flaw targets the Rancher Extensions system, potentially allowing a malicious actor to compromise the entire management infrastructure.
Rancher is designed to make it easy to run Kubernetes everywhere and empower DevOps teams, but this “Arbitrary file access” vulnerability demonstrates that even centralized management tools can become significant attack vectors.
The vulnerability exists within the way Rancher handles UIPlugin deployments. According to the advisory, “A vulnerability has been identified in Rancher’s Extensions where malicious code can be injected in Rancher through a path traversal in the compressed Endpoint field inside a UIPlugin deployment.”
By exploiting this path traversal, a malicious UI extension can “break out” of its intended directory to access or modify sensitive files on the Rancher server.
Potential Impact of Exploitation:
- Binary Hijacking: Attackers could overwrite Rancher binaries or configuration files to inject persistent malicious code.
- Cluster Tampering: Malicious actors could write to /var/lib/rancher/ to directly tamper with the cluster state.
- Host System Access: If hostPath volumes are mounted, the exploit could be used to write directly to the host node filesystem.
- Attack Chaining: This flaw can serve as a foundational step to be “chained with other attack vectors” for a total system takeover.
The SUSE Rancher team has released several patched versions to address this issue. The fix works by ensuring that any file defined by a UI Plugin’s compressed Endpoint is strictly created within a designated cache directory and is forbidden from containing the ../ characters required for traversal. Additionally, icons referenced in index.yaml must now always resolve to a file within the repository directory.
Users are strongly urged to upgrade to v2.14.1, v2.13.5, v2.12.9, or v2.11.13.
While Rancher notes that “by default only the administrator can deploy UI extensions,” the risk remains high if permissions have been delegated to other users or if an admin is tricked into installing a rogue plugin.
There is currently no workaround for this vulnerability. The security team emphasizes that users must be extremely careful and “only install extensions that come from sources trusted by the user”.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
