What starting position does this attack require?

The first step is Authenticate (default / leaked admin) (W-AUTH-DEFAULT) — a credential access primitive. Assumed environment: K8s cluster managed by ArgoCD.

What is the final impact of this kill-chain?

The final step lands on Find ArgoCD UI / API (N-NMAP-INTERNAL), which falls under Discovery. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

ArgoCD weak RBAC → cluster admin via custom Application

ArgoCD installed with the default admin user and broad RBAC. Attacker creates an Application pointing at attacker manifests — ArgoCD syncs them with cluster-admin.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Credential Access

Authenticate (default / leaked admin)

W-AUTH-DEFAULT · Default Credentials

Privilege Escalation

Privileged pod runs on the cluster

K-PRIV-CONTAINER · Privileged Container Escape

Privilege Escalation

Mount host fs → cluster-admin

K-HOSTPATH-MOUNT · hostPath Volume Mount

Persistence

ArgoCD syncs malicious manifests

K-CRONJOB-PERSIST · Malicious CronJob / DaemonSet

Privilege Escalation

Create Application from attacker repo

CI-ARGOCD-TAKEOVER · ArgoCD Misconfigured RBAC

Discovery

Find ArgoCD UI / API

N-NMAP-INTERNAL · Internal Nmap Sweep

§ Context

Assumed environment: K8s cluster managed by ArgoCD. Default admin credentials never rotated (Bitnami chart leaves them in a secret), or the admin password leaked.

§ Steps

01
Authenticate (default / leaked admin)Credential Access
W-AUTH-DEFAULT— Default Credentials
02
Privileged pod runs on the clusterPrivilege Escalation
K-PRIV-CONTAINER— Privileged Container Escape
03
Mount host fs → cluster-adminPrivilege Escalation
K-HOSTPATH-MOUNT— hostPath Volume Mount
04
ArgoCD syncs malicious manifestsPersistence
K-CRONJOB-PERSIST— Malicious CronJob / DaemonSet
05
Create Application from attacker repoPrivilege Escalation
CI-ARGOCD-TAKEOVER— ArgoCD Misconfigured RBAC
06
Find ArgoCD UI / APIDiscovery
N-NMAP-INTERNAL— Internal Nmap Sweep

§ Frequently asked

What is the "ArgoCD weak RBAC → cluster admin via custom Application" attack path?: ArgoCD installed with the default admin user and broad RBAC. Attacker creates an Application pointing at attacker manifests — ArgoCD syncs them with cluster-admin. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Authenticate (default / leaked admin) (W-AUTH-DEFAULT) — a credential access primitive. Assumed environment: K8s cluster managed by ArgoCD.
What is the final impact of this kill-chain?: The final step lands on Find ArgoCD UI / API (N-NMAP-INTERNAL), which falls under Discovery. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

ArgoCD weak RBAC → cluster admin via custom Application

§ Context

§ Steps

§ Frequently asked

§ Related dossiers

Docker socket exposed in pod → host root

Reconfigure MFP LDAP → harvest service-account credentials

Jenkins /script Groovy console → RCE → AD

Privileged pod escape → cluster admin

CVE-2024-21626 (Leaky Vessels) → container escape