overview

CVE-2025-1974 is a critical vulnerability in the Kubernetes Ingress NGINX Controller that permits unauthenticated remote code execution (RCE). This flaw enables attackers with access to the pod network to execute arbitrary code within the ingress-nginx controller context, potentially leading to the exposure of all Secrets cluster-wide. The vulnerability is classified as critical with a CVSS score of 9.8 and presents a severe threat to Kubernetes environments

Affected Products and Versions

  • Vulnerable Versions:
    • Ingress NGINX Controller versions prior to 1.11.5
    • Ingress NGINX Controller versions 1.11.0 to 1.11.4
    • Ingress NGINX Controller version 1.12.0
  • Patched Versions:
    • Ingress NGINX Controller version 1.11.5
    • Ingress NGINX Controller version 1.12.1 or later

Threat Status

No active exploitation has been reported as of the disclosure date. However, due to the vulnerability’s critical nature, exploitation attempts are expected to emerge. Attackers could exploit this vulnerability through the following methods:

  1. Accessing the admission controller component exposed without authentication.
  2. Injecting malicious payloads via customized ingress configurations.
  3. Utilizing the vulnerability to perform cluster-wide attacks such as RCE or full cluster takeover.

Organizations using the Ingress NGINX Controller are advised to patch immediately, as the flaw affects approximately 43% of cloud environments.

 

 

how avertium is protecting our customers

 

IOCs ADDED TO OUR THREAT FEEDS

Currently, there are no verified Indicators of Compromise (IoCs) specific to CVE-2025-1974. However, security researchers and organizations are actively investigating potential IoCs[1][2]. Users should remain vigilant and monitor for the following:

  • Unauthorized access attempts targeting the Validating Admission Controller.
  • Unusual activity, such as access to Secrets across namespaces.

Mitigation Steps

To reduce the risk of exploitation while IoCs are being identified:

  1. Upgrade to patched versions v1.11.5 or v1.12.1 immediately.
  2. If upgrading is not immediately possible:
    • Disable the Validating Admission Controller functionality of Ingress NGINX.
    • Apply network policies to restrict pod network access.

Organizations should also actively monitor updates from Kubernetes Security Advisories, Ingress NGINX maintainers, and cloud service providers.

 

MITRE ATT&CK AND TTPs

The following tactics, techniques, and procedures (TTPs) from the MITRE ATT&CK framework are associated with possible exploitation scenarios for CVE-2025-1974:

Tactic

Technique

Description

Initial Access

T1190 - Exploit Public-Facing Application

Exploiting the Ingress NGINX Controller to gain initial cluster access.

Execution

T1059 - Command and Scripting Interpreter

Running malicious commands or scripts through RCE.

Privilege Escalation

T1068 - Exploitation for Privilege Escalation

Elevating privileges to the controller level, granting extensive cluster access.

Defense Evasion

T1562.001 - Disable or Modify Tools

Disabling security tools or indicators in the cluster.

Credential Access

T1552 - Unsecured Credentials

Accessing sensitive credentials within Kubernetes Secrets.

Discovery

T1082 - System Information Discovery

Gathering information about the cluster components for attack planning.

Lateral Movement

T1210 - Exploitation of Remote Services

Using the compromised controller to attack other cluster services.

Collection

T1530 - Data from Cloud Storage Object

Extracting sensitive Secrets or data stored in Kubernetes.

Exfiltration

T1041 - Exfiltration Over C2 Channel

Establishing command-and-control for data theft.

Impact

T1499 - Endpoint Denial of Service

Disrupting controller operations to cause traffic denial.

 

 

additional Recommendations + information

Immediate Mitigation Steps

  1. Upgrade Software:
    Upgrade to Ingress NGINX Controller versions:
    • 1.11.5 for older versions.
    • 1.12.1 or later for those utilizing version 1.12.0.

  2. Disable Admission Controller (if patches cannot be immediately deployed):
    • Helm Installations: Set controller.admissionWebhooks.enabled=false.
    • Manual Installations:
      • Delete ValidatingWebhookConfiguration called ingress-nginx-admission.
      • Update the controller's arguments to remove --validating-webhook.

  3. Restrict Pod Network Access:
    Apply network segmentation policies to limit exposure of the admission controller.

Enhancements for Detection and Monitoring

  • Logging and Monitoring:
    • Enable detailed monitoring for ingress traffic and API calls to detect anomalies early.
    • Leverage tools like Splunk or Datadog for Kubernetes-native log aggregation and anomaly detection.
  • Host-based Security Measures:
    • Use a Web Application Firewall (WAF) in front of the Ingress NGINX Controller to filter malicious traffic.
    • Harden Role-Based Access Controls (RBAC) for the Ingress NGINX Controller components.

Additional Recommendations

  • Conduct regular vulnerability scans and audits of Kubernetes clusters using tools like Kubescape or similar solutions.
  • Ensure TLS certificates and Secrets management are up-to-date and compliant with security best practices.

 

 

ADDITIONAL SERVICE OFFERINGS

Organizations can leverage Avertium’s cybersecurity services to address the risks posed by CVE-2025-1974:

Threat Detection & Response (TDR)

  • 24/7 monitoring of Kubernetes environments ensures proactive detection of potential attacks.
Vulnerability Management:
  • Comprehensive vulnerability scanning and prioritization of remediation based on risk levels.
Cybersecurity Strategy:
  • Development of incident response plans based on MITRE ATT&CK mapping and advanced threat intelligence assessments.

Microsoft Security Solutions

  • Specialized support for securing Kubernetes instances deployed in Microsoft Azure environments.

By implementing these recommendations and services, organizations can significantly reduce the risk of exploitation and enhance the resilience of their Kubernetes environments against emerging threats


 

 

SUPPORTING DOCUMENTATION

 

Chat With One of Our Experts




remote code execution RCE Remote Code Execution (RCE) vulnerabilities Remote Code Execution vulnerabilities Flash Notice Critical Vulnerability Blog