🟠 High  |  Source: Microsoft Security Response Center


A vulnerability in KubeVirt (CVE-2026-13325) means that enabling the ‘disableTLS’ migration setting removes authentication controls entirely, leaving the virtqemud proxy exposed without authentication on all network interfaces. This could allow an attacker with network access to interact with the virtual machine management proxy directly, potentially compromising running workloads. The issue affects the RHEL9 virt-handler component and is published via Microsoft’s security advisory channel, indicating relevance to Azure environments running KubeVirt-based workloads.

Security Architect’s Take: Audit any KubeVirt deployments on Azure (including AKS-based VM workloads) for use of the ‘disableTLS’ migration setting and disable it immediately, ensuring TLS and mutual authentication are enforced on all migration traffic. Restrict network access to the virtqemud proxy at the network policy level as a compensating control until patched components are deployed.

Original advisory: CVE-2026-13325 Virt-handler-rhel9: kubevirt: kubevirt: disabletls migration setting removes authentication, exposing unauthenticated virtqemud proxy on all interfaces