Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: 1 Critical improper isolation & 3 High improper input validation vulnerabilities in Kubernetes Ingress-nginx controller can lead to remote code execution, Patch Immediately!
Image
Published : 25/03/2025
* Last update: 25/03/2025
* Affected software:: Kubernetes Ingress-nginx controller (in Azure Kubernetes Service AKS) versions before v1.11.5 and v1.12.1
* Type: Improper Isolation or Compartmentalization (CWE-653), Improper Input Validation (CWE-20)
* CVE/CVSS
→ CVE-2025-1974: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
→ CVE-2025-1097: CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
→ CVE-2025-1098: CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
→ CVE-2025-24514: CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Sources
https://github.com/kubernetes/kubernetes/issues/131009
Risks
Kubernetes Ingress-nginx is a resource that manages external access to services in a Kubernetes cluster, via HTTP/HTTPS. The ingress-nginx controller is a popular implementation of Kubernetes Ingress, which acts as a reverse proxy and load balancer to route traffic based on defined rules. It allows for advanced routing, SSL termination, and enhanced traffic management for Kubernetes applications.
A remote, unauthenticated attacker can exploit CVE-2025-1974 and cause complete system compromise.
A remote, attacker with low privileges can exploit CVE-2025-1097 or CVE-2025-1098 by modifying specific ingress annotations to access and manipulate Kubernetes cluster traffic routing.
A remote, attacker with low privileges can exploit CVE-2025-24514 to compromise the integrity and availability of Kubernetes cluster ingress resources.
All four vulnerabilities have a high impact on all three aspects of the CIA triad (confidentiality, integrity, and availability).
A proof of concept is available for CVE-2025-1974. It is unconfirmed if any of those vulnerabilities have been exploited in the wild as of 25/03/2025 but it is likely these vulnerabilities will be exploited in the future.
Description
CVE-2025-1974:
A threat actor, who is network based and without privileges or any user interaction, could successfully exploit this vulnerability to compromise the integrity and availability of Kubernetes cluster resources. That could allow them to access sensitive information and execute unauthorized commands, which can ultimately lead them to compromise the whole system. This procedure is described in a publicly available proof of concept.
CVE-2025-1097:
A threat actor, who is network based and has low privileges, could successfully exploit this vulnerability to compromise the integrity and security of Kubernetes Ingress resources to gain unauthorized access and manipulate the cluster traffic routing. The threat actor can accomplish that by manipulating the auth-tls-match-cn annotation to inject malicious configurations into NGINX, which could allow them to execute code remotely.
CVE-2025-1098:
A threat actor, who is network based and has low privileges, could successfully exploit this vulnerability to compromise the integrity and security of Kubernetes Ingress resources to gain unauthorized access and manipulate the cluster traffic routing. The threat actor can accomplish that by manipulating the mirror-target and mirror-host annotation to inject malicious arbitrary configurations into NGINX, which could allow them to execute code remotely.
CVE-2025-24514:
A threat actor, who is network based and has low privileges, could successfully exploit this vulnerability to compromise the integrity and security of Kubernetes Ingress resources to gain unauthorized access and manipulate the cluster traffic routing. The threat actor can accomplish that by manipulating the auth-url annotation to inject malicious arbitrary configurations into NGINX, which could allow them to execute code remotely.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing. It is advised to upgrade to version 1.11.5 or 1.12.1 2 or later.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.