A critical vulnerability (CVE-2025-1974) has been identified in the Ingress-Nginx controller, a popular Kubernetes ingress controller. This vulnerability, combined with other related vulnerabilities, allows an attacker with network access to the pod network to potentially take over a Kubernetes cluster without requiring credentials or administrative access.
Description:
CVE-2025-1974 with a CVSS score of 9.8, arises from configuration injection vulnerabilities in the Validating Admission Controller feature of ingress-nginx, enabling remote code execution. By exploiting this vulnerability, an attacker can inject malicious configurations into the Nginx configuration through a specially crafted Ingress object. This allows for arbitrary command execution within the Ingress-Nginx controller pod, potentially leading to the compromise of sensitive information, including Secrets that ingress-nginx has access to. Ingress-Nginx, by default, often has access to all secrets cluster-wide.
Successful exploitation of CVE-2025-1974 could lead to complete cluster takeover. This is particularly concerning because the attack can be initiated from any entity with access to the Pod network.
Affected systems:
- All systems that run the affected Ingress-Nginx versions.
Recommendations:
- Upgrade to ingress-nginx v1.11.5 or v1.12.1
- Implement strong antivirus and anti-malware solutions with real-time scanning capabilities.
- Regularly scan your system for suspicious files or processes.
- Monitor the system for unusual registry modifications or scheduled tasks.
- Ensure automatic updates are enabled for future instances whenever possible.
References:
- https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/
- https://nvd.nist.gov/vuln/detail/CVE-2025-1974
- https://github.com/sandumjacob/IngressNightmare-POCs/tree/main/CVE-2025-1974
