{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/isovalent/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Cilium"],"_cs_severities":["high"],"_cs_tags":["cilium","wireguard","key-disclosure","credential-access"],"_cs_type":"advisory","_cs_vendors":["Cilium","Isovalent"],"content_html":"\u003cp\u003eA vulnerability exists in the \u003ccode\u003ecilium-bugtool\u003c/code\u003e utility within Cilium, an open-source networking and security platform for cloud-native environments. When used with WireGuard Transparent Encryption enabled, the tool can inadvertently include the WireGuard private key (\u003ccode\u003ecilium_wg0.key\u003c/code\u003e) in its output. This affects Cilium versions v1.19 between v1.19.0 and v1.19.2, v1.18 between v1.18.0 and v1.18.8, and all versions prior to v1.17.15. The exposure occurs because the tool, used for debugging and generating system dumps, collects sensitive configuration files. The vulnerability was reported and addressed by the Cilium community, with patches released in versions v1.19.3, v1.18.9, and v1.17.15. Failure to patch could lead to unauthorized decryption of network traffic.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to a system running a vulnerable Cilium version with WireGuard enabled, or obtains a \u003ccode\u003ecilium-bugtool\u003c/code\u003e archive.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecilium-bugtool\u003c/code\u003e or \u003ccode\u003ecilium sysdump\u003c/code\u003e command is executed, either manually by a user or an automated process (initiated by the attacker if they have access).\u003c/li\u003e\n\u003cli\u003eThe tool collects various debugging information, including the \u003ccode\u003ecilium_wg0.key\u003c/code\u003e file containing the WireGuard private key.\u003c/li\u003e\n\u003cli\u003eThe resulting archive is stored locally, potentially accessible to the attacker.\u003c/li\u003e\n\u003cli\u003eAttacker exfiltrates the \u003ccode\u003ecilium-bugtool\u003c/code\u003e archive containing the WireGuard private key.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted private key to decrypt WireGuard-encrypted traffic between Cilium nodes.\u003c/li\u003e\n\u003cli\u003eThe attacker monitors and intercepts sensitive network communications.\u003c/li\u003e\n\u003cli\u003eAttacker pivots within the cluster using the decrypted traffic to discover additional services or escalate privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to decrypt network traffic between Cilium nodes that are using WireGuard encryption. This could lead to the exposure of sensitive data, such as credentials, API keys, or proprietary information. The number of affected deployments is currently unknown, but any Cilium environment using WireGuard encryption and running a vulnerable version is at risk. The impact is significant because it compromises the confidentiality of network communications, potentially enabling further attacks and data breaches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Cilium to versions v1.19.3, v1.18.9, or v1.17.15 or later to remediate CVE-2026-41520.\u003c/li\u003e\n\u003cli\u003eRotate WireGuard keys on affected nodes if \u003ccode\u003ecilium-bugtool\u003c/code\u003e archives have been shared externally, as suggested in the advisory. Delete the \u003ccode\u003ecilium_wg0.key\u003c/code\u003e file and restart the Cilium agent.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit who can execute \u003ccode\u003ecilium-bugtool\u003c/code\u003e or \u003ccode\u003ecilium sysdump\u003c/code\u003e commands, preventing unauthorized key disclosure.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual execution of \u003ccode\u003ecilium-bugtool\u003c/code\u003e or \u003ccode\u003ecilium sysdump\u003c/code\u003e using process monitoring tools. Deploy a Sigma rule that detects unexpected execution paths.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-26T12:00:00Z","date_published":"2026-04-26T12:00:00Z","id":"/briefs/2026-04-cilium-wg-key-disclosure/","summary":"The `cilium-bugtool` debugging tool in Cilium exposes WireGuard private keys, potentially allowing unauthorized access to encrypted node-to-node communication in affected versions.","title":"Cilium `cilium-bugtool` WireGuard Private Key Exposure","url":"https://feed.craftedsignal.io/briefs/2026-04-cilium-wg-key-disclosure/"}],"language":"en","title":"CraftedSignal Threat Feed — Isovalent","version":"https://jsonfeed.org/version/1.1"}