CVE-2020-8554

MEDIUM

Kubernetes API Server - Traffic Interception via Service externalIPs

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2020-8554. PoCs published by rancher, jrmurray000, twistlock.

AI-analyzed exploit summary This repository contains CI/CD pipelines, Docker configurations, and Kubernetes deployment manifests for the Rancher ExternalIP Webhook project but lacks any exploit code or technical details related to CVE-2020-8554.

Description

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

Exploits (6)

nomisec STUB 3 stars
by rancher · poc
https://github.com/rancher/externalip-webhook

This repository contains CI/CD pipelines, Docker configurations, and Kubernetes deployment manifests for the Rancher ExternalIP Webhook project but lacks any exploit code or technical details related to CVE-2020-8554.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Rancher ExternalIP Webhook
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP 1 stars
by jrmurray000 · poc
https://github.com/jrmurray000/CVE-2020-8554

This repository provides Policy Controller configurations to mitigate CVE-2020-8554 by restricting Kubernetes Services from using unauthorized external IPs. It includes templates and constraints for both allowlisting specific IPs and blocking CIDR ranges.

Classification
Writeup 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Kubernetes (multitenant clusters)
Auth required
Prerequisites: Ability to create or edit Kubernetes Services and Pods · Access to apply Policy Controller configurations
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP 1 stars
by twistlock · poc
https://github.com/twistlock/k8s-cve-2020-8554-mitigations

This repository provides mitigation guidance and Prisma Cloud Compute Admission rules for CVE-2020-8554, a Kubernetes design flaw allowing Man-in-The-Middle attacks via service IP interception. It includes technical details about the vulnerability but does not contain exploit code.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Kubernetes (unpatched versions)
Auth required
Prerequisites: Ability to create or update Kubernetes services · Access to patch service status
devstral-2 · analyzed Feb 18, 2026 Full analysis →
gitlab WRITEUP
by mike-ensor · poc
https://gitlab.com/mike-ensor/mitigating-cve-2020-8554

This repository provides a technical mitigation strategy for CVE-2020-8554 using Anthos Config Management's Policy Management to prevent the creation of public IP addresses in Kubernetes services. It includes constraint templates and validation scripts to enforce policies against LoadBalancer service types.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Kubernetes (CVE-2020-8554)
Auth required
Prerequisites: Access to Kubernetes cluster with Anthos Config Management · Ability to apply policy constraints
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec WRITEUP
by alebedev87 · poc
https://github.com/alebedev87/gatekeeper-cve-2020-8554

This repository provides a Gatekeeper constraint template to mitigate CVE-2020-8554, which involves Kubernetes Services with externalIPs. It includes a ConstraintTemplate and a constraint to restrict externalIPs except for those in an allowlist.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Kubernetes Gatekeeper
Auth required
Prerequisites: Kubernetes cluster with Gatekeeper installed · Access to apply Gatekeeper policies
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by Dviejopomata · poc
https://github.com/Dviejopomata/CVE-2020-8554

This repository contains a functional proof-of-concept exploit for CVE-2020-8554, which allows an attacker to bypass Kubernetes service validation by manipulating the `externalIPs` field in a LoadBalancer service. The exploit demonstrates how an attacker can assign arbitrary external IPs to a service, potentially leading to traffic interception or man-in-the-middle attacks.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Kubernetes (versions affected by CVE-2020-8554)
Auth required
Prerequisites: Access to a Kubernetes cluster with permissions to create/modify services · Cert-manager installed in the cluster
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (10)

Core 10
Core References
Mailing List, Third Party Advisory x_refsource_misc
https://groups.google.com/g/kubernetes-security-announce/c/iZWsF9nbKE8
Exploit, Third Party Advisory x_refsource_misc
https://github.com/kubernetes/kubernetes/issues/97076
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com//security-alerts/cpujul2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2022.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html

Scores

CVSS v3 6.3
EPSS 0.2478
EPSS Percentile 96.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Details

CWE
CWE-283
Status published
Products (5)
k8s.io/kubernetes 0 - 1.22.0Go
kubernetes/kubernetes
oracle/communications_cloud_native_core_network_slice_selection_function 1.2.1
oracle/communications_cloud_native_core_policy 1.15.0
oracle/communications_cloud_native_core_service_communication_proxy 1.14.0
Published Jan 21, 2021
Tracked Since Feb 18, 2026