Cve-2025-1974: Critical Ingressnightmare Vulnerability In Kubernetes

CVE-2025-1974, aka IngressNightmare, is a severe vulnerability in Kubernetes’ Ingress Controllers that allows attackers to gain unauthorized access through misconfigured Ingress definitions. This flaw can impact Kubernetes deployments, particularly those in production. Mitigation involves patching Kubernetes, auditing configurations, and enhancing access controls to secure Ingress resources.

Severity Level: High

VULNERABILITY OVERVIEW:

1. CVE-2025-1974 (Ingress Nightmare) is a critical vulnerability that allows unauthenticated attackers with network access to the Ingress-NGINX admission webhook to inject malicious configurations, leading to RCE.
2. CVSS Score: 9.8 (Critical).
3. Versions Affected: NGINX Ingress versions prior to v1.12.1 and v1.11.5.
4. Root cause:
   o Improper Validation of Ingress Resources: The vulnerability arises from a failure to validate incoming traffic properly through the Ingress Controller, allowing attackers to manipulate or bypass security mechanisms.
   o Ingress Misconfiguration: Kubernetes administrators may leave the default or improperly configured settings, which can be exploited by malicious actors.
5. The vulnerability was disclosed by Wiz Security and has been discussed widely in security circles. A proof-of-concept (PoC) is available, demonstrating how misconfigured Ingress Controllers can be exploited.
6. The exploit involves below key steps:
   o The attacker exploits NGINX’s default behaviour of buffering large HTTP requests.
   o They upload a malicious .so (shared object) file as part of an HTTP request to the Ingress Controller.
   o NGINX, by default, buffers these requests, allowing the file to be stored temporarily within the system.
   o Even after the malicious .so file is marked for deletion, it remains accessible through its open file descriptor.
   o The attacker references the file through a special path in /proc//fd/, bypassing normal file deletion and retaining access to the file.
   o The attacker injects malicious NGINX directives (e.g., ssl_engine) into the configuration by exploiting carefully crafted Ingress annotations.
   o These annotations are used to manipulate NGINX’s behaviour, enabling the execution of harmful directives within the controller’s configuration.
   o By executing the malicious NGINX directives, the attacker triggers a reverse shell within the Ingress controller pod.
   o The reverse shell inherits the pod’s service account privileges, which could include broad permissions to access sensitive cluster-wide secrets or perform other malicious activities within the Kubernetes environment.

VULNERABILITY DETECTION:

Verify whether your clusters are using ingress-nginx. Typically, this can be done by running the following command: kubectl get pods –all-namespaces –selector app.kubernetes.io/name=ingress-nginx

Recommendations:

1. Upgrade Ingress-NGINX to v1.12.1 (or later) or v1.11.5 (or later). This patch removes the risky validation approach that enabled RCE.
2. Restrict Access to the Admission Webhook if you cannot upgrade immediately. Apply network policies so only the Kubernetes API server can connect to the webhook.
3. Disable Unused Features such as snippet annotations, TLS client auth, or mirroring if they aren’t required. The fewer potential injection points, the better.
4. Avoid granting cluster-wide privileges to the service account used by ingress. If the controller is compromised, the blast radius is significantly reduced if that account has minimal permissions.

Source:

• https://www.fortinet.com/blog/threat-research/ingressnightmare-understanding-cve-2025-1974-in-kubernetes-ingress-nginx?-in-Kubernetes-IngressNGINX
• https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
• https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.

No related posts found.