Advisory March 26, 2025

Critical Vulnerability in Ingress-Nginx (CVE-2025-1974)

The Obrela Threat Intelligence Team

A critical vulnerability (CVE-2025-1974) has been identified in the Ingress-Nginx controller, a popular Kubernetes ingress controller. This vulnerability, combined with other related vulnerabilities, allows an attacker with network access to the pod network to potentially take over a Kubernetes cluster without requiring credentials or administrative access.

Description:

CVE-2025-1974 with a CVSS score of 9.8, arises from configuration injection vulnerabilities in the Validating Admission Controller feature of ingress-nginx, enabling remote code execution. By exploiting this vulnerability, an attacker can inject malicious configurations into the Nginx configuration through a specially crafted Ingress object. This allows for arbitrary command execution within the Ingress-Nginx controller pod, potentially leading to the compromise of sensitive information, including Secrets that ingress-nginx has access to. Ingress-Nginx, by default, often has access to all secrets cluster-wide.

Successful exploitation of CVE-2025-1974 could lead to complete cluster takeover. This is particularly concerning because the attack can be initiated from any entity with access to the Pod network.

Affected systems:

  • All systems that run the affected Ingress-Nginx versions.

Recommendations:

  • Upgrade to ingress-nginx v1.11.5 or v1.12.1
  • Implement strong antivirus and anti-malware solutions with real-time scanning capabilities.
  • Regularly scan your system for suspicious files or processes.
  • Monitor the system for unusual registry modifications or scheduled tasks.
  • Ensure automatic updates are enabled for future instances whenever possible.

References: