Services with an empty selector rely on custom endpoints and are vulnerable to CVE-2021-25740. An adversary can potentially direct a LoadBalancer or Ingress implementation to expose backend IPs the attacker should not have access to.
There is no patch for this issue. Therefore, it is recommended not to create a service without a selector or restricting write access to Endpoints and EndpointSlices by updating the system:aggregate-to-edit role using the attached file.