mitigated by: - Deploy the patch version of the Kubernetes C# client as soon as possible. - Moving the CA certificates into the system trust store instead of specifying them in the kubeconfig file. Note: This approach may introduce new risks, as all processes on the system will begin to trust certificates signed by that CA. If you must use an affected version, you can disable custom CA and add the CA to the machine's trusted root. Fixed Versions - Kubernetes C# client >= v17.0.14 Detection To determine if your applications are affected: - Review your usage of the Kubernetes C# client and inspect certificate validation logic. - Review your kubeconfig files and determine if you use a custom CA certificate (the certificate-authority field in the clusters section). - Review client logs for unexpected or untrusted certificate connections. If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io Thank You, Rita Zhang on behalf of the Kubernetes Security Response Committee Additional Details See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/134063 Acknowledgements This vulnerability was reported by @elliott-beach The issue was fixed and coordinated by: Boshi Lian @tg123 Brendan Burns @brendandburns Rita Zhang @ritazh Thank You, Rita Zhang on behalf of the Kubernetes Security Response Committee -- You received this message because you are subscribed to the Google Groups "kubernetes-announce" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-announce+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/kubernetes-announce/CAL7%2BV1wvp3f2foQ6mHRGWWyS91rof_PRprzt%3DM215A-1dsnONw%40mail.gmail.com.[kubernetes-announce] [Security Advisory] CVE-2025-9708: Kubernetes C# Client: improper certificate validation in custom CA mode may lead to man-in-the-middle attacksRita Zhang undefinedkubernetes-announce , dev , kubernetes-security-announce@googlegroups.com, kubernetes-security-discuss , distributors-announce@kubernetes.io undefined undefined undefined undefined undefined…U‚ēv