The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-65719

CVE-2025-65719: Kubectl MCP Server RCE Vulnerability

CVE-2025-65719 is a remote code execution vulnerability in Kubectl MCP Server v1.1.1 that allows attackers to execute arbitrary code via crafted HTML pages. This article covers technical details, affected versions, and mitigation.

Published: May 17, 2026

CVE-2025-65719 Overview

CVE-2025-65719 is a code injection vulnerability [CWE-94] in the open source Kubectl MCP Server version 1.1.1. The flaw allows remote attackers to execute arbitrary code on a victim system when a user interacts with a crafted HTML page. The Kubectl MCP Server provides Model Context Protocol (MCP) integration for managing Kubernetes clusters through kubectl commands, often invoked by AI assistants and developer tools. Successful exploitation grants attackers the same privileges as the user running the MCP server, including the ability to interact with connected Kubernetes clusters.

Critical Impact

Attackers can achieve remote code execution on hosts running Kubectl MCP Server v1.1.1 by luring users to a malicious web page, potentially pivoting into managed Kubernetes environments.

Affected Products

  • Open Source Kubectl MCP Server v1.1.1
  • Deployments integrating kubectl-mcp-server with AI assistants or developer tooling
  • Kubernetes environments managed through the affected MCP server instance

Discovery Timeline

  • 2026-05-12 - CVE-2025-65719 published to the National Vulnerability Database
  • 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2025-65719

Vulnerability Analysis

The vulnerability resides in how Kubectl MCP Server v1.1.1 processes input that originates from web content. Because the MCP server exposes interfaces invoked by AI assistants and browsers, a crafted HTML page can deliver attacker-controlled content that the server interprets as executable code. The issue is classified as Improper Control of Generation of Code [CWE-94], commonly known as code injection. The attack succeeds over the network, requires no authentication, and triggers when the victim interacts with the malicious page. Once execution succeeds, the attacker runs commands under the privileges of the MCP server process.

Root Cause

The root cause is insufficient sanitization and validation of inputs that flow from web-originated content into command or code execution paths. MCP servers expose tool-calling primitives, and when these primitives are reachable from browser contexts without strict origin and content controls, attacker-supplied payloads can be reflected into shell or interpreter execution. The lack of input boundary enforcement between untrusted HTML content and the local MCP execution context is the underlying defect.

Attack Vector

The attack requires a victim to visit or interact with a crafted HTML page while the Kubectl MCP Server is running locally or on a reachable host. The malicious page issues requests that the MCP server processes, embedding attacker-controlled parameters into command execution. The attacker does not need credentials or prior access to the target system. After code execution, the attacker can run arbitrary kubectl commands against connected clusters, exfiltrate kubeconfig credentials, or deploy malicious workloads. Technical analysis is available in the OX Security CVE-2025-65719 Analysis and the Kubectl MCP Server repository.

No verified public exploit code is referenced in the advisory. See the technical write-ups linked above for proof-of-concept details.

Detection Methods for CVE-2025-65719

Indicators of Compromise

  • Unexpected kubectl invocations originating from the MCP server process, especially commands targeting secrets, serviceaccounts, or workload creation
  • Outbound HTTP requests from browsers to local MCP server ports immediately followed by anomalous child processes
  • New or modified Kubernetes resources (Deployments, DaemonSets, CronJobs) created without a corresponding CI/CD or operator change
  • Access to ~/.kube/config or kubeconfig files by processes other than approved Kubernetes tooling

Detection Strategies

  • Monitor process creation events where the MCP server binary spawns shells, interpreters, or unexpected binaries
  • Inspect web server and proxy logs for browser-initiated requests to MCP server endpoints that include shell metacharacters or command fragments
  • Correlate Kubernetes audit logs with host-level process telemetry to identify cluster actions that lack a legitimate user-driven origin

Monitoring Recommendations

  • Enable Kubernetes audit logging at the Metadata level or higher and forward events to a central analytics platform
  • Track network connections from browser processes to localhost ports bound by kubectl-mcp-server
  • Alert on first-seen parent-child process relationships involving the MCP server binary

How to Mitigate CVE-2025-65719

Immediate Actions Required

  • Stop or uninstall Kubectl MCP Server v1.1.1 instances until a fixed release is verified
  • Rotate kubeconfig credentials, service account tokens, and cloud provider credentials that the MCP server could access
  • Restrict the MCP server to bind only to loopback interfaces and require strict origin checks from any client
  • Review recent Kubernetes audit logs for unauthorized resource changes during the exposure window

Patch Information

No official patched version is referenced in the NVD entry at publication time. Monitor the Kubectl MCP Server repository for updated releases and consult the OX Security advisory for remediation guidance. Until a verified fix is published, treat all v1.1.1 deployments as vulnerable.

Workarounds

  • Run the MCP server inside a sandboxed container with no host filesystem access and a least-privilege kubeconfig
  • Block browser access to MCP server ports using host firewall rules or browser extension policies
  • Disable the MCP integration in AI assistants and developer tools that connect to kubectl-mcp-server
  • Apply network segmentation so that the MCP server cannot reach production Kubernetes API endpoints
bash
# Configuration example: restrict MCP server to loopback and isolate via firewall
# 1. Bind MCP server to localhost only (example wrapper)
export MCP_BIND_ADDRESS=127.0.0.1
export MCP_BIND_PORT=8080

# 2. Block external access with iptables
sudo iptables -A INPUT -p tcp --dport 8080 ! -i lo -j DROP

# 3. Run with a scoped kubeconfig (read-only, namespace-restricted)
export KUBECONFIG=/etc/mcp/readonly-kubeconfig.yaml

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechKubectl
  • SeverityCRITICAL
  • CVSS Score9.8
  • EPSS Probability0.07%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-94
  • Technical References
  • GitHub PoC Repository
  • OX Security Blog CVE-2025-65719 Analysis
  • OX Security Blog Remote Code Execution
  • Related CVEs
  • CVE-2025-69902: kubectl-mcp-server RCE Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English