Full Report
Heads-up for Kubernetes admins! A batch of five critical vulnerabilities called “IngressNightmare” (CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974) affecting Ingress NGINX have been recently patched, posing a serious risk to the clusters. With over 40% of Kubernetes environments relying on Ingress NGINX, swift action is crucial to safeguard your systems and data against RCE attacks. […] The post CVE-2025-1974: Critical Set of Vulnerabilities in Ingress NGINX Controller for Kubernetes Leading to Unauthenticated RCE appeared first on SOC Prime.
Analysis Summary
# Vulnerability: Unauthenticated RCE in Ingress NGINX Controller (IngressNightmare)
## CVE Details
- CVE ID: CVE-2025-1974 (Part of the "IngressNightmare" set: CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974)
- CVSS Score: Critical (Score not explicitly provided, but described as critical)
- CWE: Not specified
## Affected Systems
- Products: Ingress NGINX Controller for Kubernetes
- Versions: Versions prior to v1.12.1 and v1.11.5
- Configurations: Not specified, but relates to configuration handling within the Ingress Controller.
## Vulnerability Description
CVE-2025-1974 is a critical vulnerability in the Ingress NGINX Controller that, when combined with other "IngressNightmare" flaws, allows for unauthenticated Remote Code Execution (RCE) leading to potential cluster takeover. The exploitation flow involves injecting a malicious configuration that allows an attacker to read sensitive files and execute arbitrary code, potentially leveraging a privileged Kubernetes Service Account.
## Exploitation
- Status: PoC available (Implied by the context of a critical patch release and combination with other flaws leading to cluster compromise)
- Complexity: Low (Allows for unauthenticated access and cluster compromise)
- Attack Vector: Network (Requires external access to the Ingress Controller)
## Impact
- Confidentiality: High (Access to cluster-wide secrets)
- Integrity: High (Ability to execute arbitrary code)
- Availability: Potentially High (Full cluster compromise)
## Remediation
### Patches
- Ingress NGINX Controller v1.12.1
- Ingress NGINX Controller v1.11.5
### Workarounds
1. Immediately update to the patched versions.
2. Restrict external access to the admission webhook.
3. As a precautionary measure, restrict access to the Kubernetes API Server admission controller or disable it entirely if not required.
## Detection
- Indicators of Compromise: Look for unexpected file reads or execution attempts originating from processes related to the Ingress Controller configuration paths.
- Detection Methods and Tools: Organizations should utilize security tools (like the SOC Prime Platform mentioned) tailored for detecting attacks targeting critical Kubernetes infrastructure components.
## References
- Vendor Advisories: Kubernetes Blog Post Regarding CVE-2025-1974 (Patch release: v1.12.1 and v1.11.5)
- Relevant Links:
- hxxps://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/