overview
CVE-2025-1974 is a critical vulnerability in the Kubernetes Ingress NGINX Controller that permits unauthenticated remote code execution (RCE). This flaw enables attackers with access to the pod network to execute arbitrary code within the ingress-nginx controller context, potentially leading to the exposure of all Secrets cluster-wide. The vulnerability is classified as critical with a CVSS score of 9.8 and presents a severe threat to Kubernetes environments
Affected Products and Versions
- Vulnerable Versions:
- Ingress NGINX Controller versions prior to 1.11.5
- Ingress NGINX Controller versions 1.11.0 to 1.11.4
- Ingress NGINX Controller version 1.12.0
- Patched Versions:
- Ingress NGINX Controller version 1.11.5
- Ingress NGINX Controller version 1.12.1 or later
Threat Status
No active exploitation has been reported as of the disclosure date. However, due to the vulnerability’s critical nature, exploitation attempts are expected to emerge. Attackers could exploit this vulnerability through the following methods:
- Accessing the admission controller component exposed without authentication.
- Injecting malicious payloads via customized ingress configurations.
- Utilizing the vulnerability to perform cluster-wide attacks such as RCE or full cluster takeover.
Organizations using the Ingress NGINX Controller are advised to patch immediately, as the flaw affects approximately 43% of cloud environments.
how avertium is protecting our customers
IOCs ADDED TO OUR THREAT FEEDS
Currently, there are no verified Indicators of Compromise (IoCs) specific to CVE-2025-1974. However, security researchers and organizations are actively investigating potential IoCs[1][2]. Users should remain vigilant and monitor for the following:
- Unauthorized access attempts targeting the Validating Admission Controller.
- Unusual activity, such as access to Secrets across namespaces.
Mitigation Steps
To reduce the risk of exploitation while IoCs are being identified:
- Upgrade to patched versions v1.11.5 or v1.12.1 immediately.
- If upgrading is not immediately possible:
- Disable the Validating Admission Controller functionality of Ingress NGINX.
- Apply network policies to restrict pod network access.
Organizations should also actively monitor updates from Kubernetes Security Advisories, Ingress NGINX maintainers, and cloud service providers.
MITRE ATT&CK AND TTPs
The following tactics, techniques, and procedures (TTPs) from the MITRE ATT&CK framework are associated with possible exploitation scenarios for CVE-2025-1974:
|
Tactic
|
Technique
|
Description
|
|
Initial Access
|
T1190 - Exploit Public-Facing Application
|
Exploiting the Ingress NGINX Controller to gain initial cluster access.
|
|
Execution
|
T1059 - Command and Scripting Interpreter
|
Running malicious commands or scripts through RCE.
|
|
Privilege Escalation
|
T1068 - Exploitation for Privilege Escalation
|
Elevating privileges to the controller level, granting extensive cluster access.
|
|
Defense Evasion
|
T1562.001 - Disable or Modify Tools
|
Disabling security tools or indicators in the cluster.
|
|
Credential Access
|
T1552 - Unsecured Credentials
|
Accessing sensitive credentials within Kubernetes Secrets.
|
|
Discovery
|
T1082 - System Information Discovery
|
Gathering information about the cluster components for attack planning.
|
|
Lateral Movement
|
T1210 - Exploitation of Remote Services
|
Using the compromised controller to attack other cluster services.
|
|
Collection
|
T1530 - Data from Cloud Storage Object
|
Extracting sensitive Secrets or data stored in Kubernetes.
|
|
Exfiltration
|
T1041 - Exfiltration Over C2 Channel
|
Establishing command-and-control for data theft.
|
|
Impact
|
T1499 - Endpoint Denial of Service
|
Disrupting controller operations to cause traffic denial.
|
additional Recommendations + information
Immediate Mitigation Steps
- Upgrade Software:
Upgrade to Ingress NGINX Controller versions:
- 1.11.5 for older versions.
- 1.12.1 or later for those utilizing version 1.12.0.
- Disable Admission Controller (if patches cannot be immediately deployed):
- Helm Installations: Set controller.admissionWebhooks.enabled=false.
- Manual Installations:
- Delete ValidatingWebhookConfiguration called ingress-nginx-admission.
- Update the controller's arguments to remove --validating-webhook.
- Restrict Pod Network Access:
Apply network segmentation policies to limit exposure of the admission controller.
Enhancements for Detection and Monitoring
- Logging and Monitoring:
- Enable detailed monitoring for ingress traffic and API calls to detect anomalies early.
- Leverage tools like Splunk or Datadog for Kubernetes-native log aggregation and anomaly detection.
- Host-based Security Measures:
- Use a Web Application Firewall (WAF) in front of the Ingress NGINX Controller to filter malicious traffic.
- Harden Role-Based Access Controls (RBAC) for the Ingress NGINX Controller components.
Additional Recommendations
- Conduct regular vulnerability scans and audits of Kubernetes clusters using tools like Kubescape or similar solutions.
- Ensure TLS certificates and Secrets management are up-to-date and compliant with security best practices.
ADDITIONAL SERVICE OFFERINGS
Organizations can leverage Avertium’s cybersecurity services to address the risks posed by CVE-2025-1974:
Threat Detection & Response (TDR)
- 24/7 monitoring of Kubernetes environments ensures proactive detection of potential attacks.
Vulnerability Management:
- Comprehensive vulnerability scanning and prioritization of remediation based on risk levels.
Cybersecurity Strategy:
- Development of incident response plans based on MITRE ATT&CK mapping and advanced threat intelligence assessments.
Microsoft Security Solutions
- Specialized support for securing Kubernetes instances deployed in Microsoft Azure environments.
By implementing these recommendations and services, organizations can significantly reduce the risk of exploitation and enhance the resilience of their Kubernetes environments against emerging threats
SUPPORTING DOCUMENTATION
