What is chaos engineering? No, with this week’s CVE of the Week post, we do not want to dominate the world. Chaos engineering is a proactive testing approach to intentionally introduce failures and errors into systems to investigate their resiliency and robustness.

Chaos Mesh is an open-source platform to make such a method available for anyone to identify weaknesses, bugs, and faults in a controlled manner before they could cause real-world problems in a production environment.

Chaotic Deputy, a vulnerability quartet was found in Chaos Mesh by researchers, with 3 of them at 9.8 CVSS Score. Chaining these together could lead to unauthenticated code execution, and command injection with the possibility of complete cluster takeover.

That is chaos for sure.

JFrog reported that the primary attack vector involves the exploitation of an unauthenticated GraphQL server exposed by the Chaos Controller Manager component, by allowing an unauthorized access to the /query endpoint on port 10082 by CVE-2025-59358, a missing authentication flaw.

The remaining three CVEs involve OS command injection vulnerabilities within GraphQL mutations including cleanTcs, killProcesses, and cleanIptables. These mutations directly concatenate user input into command execution functions, allowing attackers to inject arbitrary shell commands through parameters like device names, process IDs, and iptables chains.

With version 2.7.3, these vulnerabilities were fixed, so it is recommended upgrading to the newest version of the application as all prior releases are affected. If patching is not feasible, disable vulnerable control server, and you can also restrict network traffic to affected Chaos Mesh components, and on port 10082.

For in-depth analysis:
https://jfrog.com/blog/chaotic-deputy-critical-vulnerabilities-in-chaos-mesh-lead-to-kubernetes-cluster-takeover/
Other resources:
https://cybersecuritynews.com/chaos-mesh-vulnerabilities/
https://thehackernews.com/2025/09/chaos-mesh-critical-graphql-flaws.html

White Hat IT Security is a Europe-based Managed Security Services Provider (MSSP) and proud Microsoft Solution Partner. Its Microsoft-verified managed security solutions (MXDR) reflect their deep expertise and commitment to excellence in cybersecurity. The company was awarded the Partner of the Year Hungary Award by Microsoft in 2024.

With the largest incident response capacity in the CEE region, they’re trusted by organizations to deliver fast, effective, and proactive protection. Their portfolio includes penetration testing, vulnerability assessments, managed Cyber Threat Intelligence, as well as Governance, Risk and Compliance (GRC) consulting and specialized security training.

They are committed to supporting professional initiatives that aim to raise cybersecurity awareness and maturity—both for individuals and organizations. They regularly contribute to the community through knowledge sharing, education, and outreach, helping to build a safer digital future for all.

Week 38 – From Chaos to Catastrophe: CVEs Shake Chaos Mesh

15 – 21 Sept 2025

What is chaos engineering? No, with this week’s CVE of the Week post, we do not want to dominate the world. Chaos engineering is a proactive testing approach to intentionally introduce failures and errors into systems to investigate their resiliency and robustness.

CyAN Members Event – AI act & Fides demo

GITEX GLOBAL 25 – Dubai

AI On US 2025

CyAN APAC Event NOV 2025

Third Party & Supply Chain Cyber Security Summit: Middle East Edition