Apache Roller, a widely used Java-based blogging platform, enabling users to create, manage, and publish blog content. It supports features like user authentication, content management, and customizable themes.
OEM
Apache
Severity
Critical
CVSS Score
10.0
CVEs
CVE-2025-24859
Actively Exploited
No
Exploited in Wild
No
Advisory Version
1.0
A critical security vulnerability (CVE-2025-24859) has been discovered in Apache Roller (versions 1.0.0 to 6.1.4), where old sessions are not invalidated after a password change, allowing attackers to maintain unauthorized access if they have stolen a session token. This flaw poses a significant risk of session hijacking and unauthorized access, and users are advised to upgrade to version 6.1.5 to mitigate the issue.
Vulnerability Name
CVE ID
Product Affected
Severity
Insufficient Session Expiration on Password Change
CVE-2025-24859
Apache Roller
Critical
Technical Summary
The vulnerability centers on insufficient session expiration.
When a user or administrator changes a password, Apache Roller versions before 6.1.5 do not properly invalidate existing sessions.
As a result, any session tokens before the password change remain valid.
This means that if an attacker has already compromised a user’s credentials and established a session, they can continue to access the application even after the password is updated, effectively bypassing a key security control.
This can be a big security threat, particularly in systems used by many users or administrators, where it’s important to keep sessions secure.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-24859
Apache Roller 1.0.0 – 6.1.4
Sessions are not invalidated after password change, allowing persistent access through old sessions if compromised.
Unauthorized Access / Session Hijacking
Remediation:
Apply Patches Promptly: Upgrade immediately to Apache Roller version 6.1.5, which implements proper centralized session invalidation.
Conclusion:
CVE-2025-24859 represents a critical access control threat to Apache Roller implementations.
Although no active exploitation has been observed still now, it’s easy for attackers to misuse sessions if they gain access. Its important for organizations using Apache Roller to quickly update to version 6.1.5 to fix this problem.
This is a critical step in maintaining the security of blog sites and protecting user data.
CVE-2025-24859 highlights the importance of robust session management in web applications.
Dell Technologies has released security updates addressing multiple vulnerabilities of varying severity in its PowerScale OneFS operating system.
These vulnerabilities could be exploited by attackers to gain control of high-privilege accounts, bypass security mechanisms, or disrupt system functionality. Dell has issued patches for several of these issues, a summary of some key vulnerabilities is provided in the table below.
Vulnerability Name
CVE ID
Product Affected
Severity
Default Password Vulnerability
CVE-2025-27690
PowerScale OneFS
Critical
Incorrect Authorization Vulnerability
CVE-2025-26330
PowerScale OneFS
High
Integer Overflow or Wraparound Vulnerability
CVE-2025-22471
PowerScale OneFS
Medium
Technical Summary
CVE ID
System Affected
Vulnerability Details
Impact
Affected Version
CVE-2025-27690
PowerScale OneFS
Dell PowerScale OneFS multiple versions contain a default password vulnerability where an unauthenticated remote attacker could potentially exploit this vulnerability, leading to the privilege escalation.
Gain Privileges or Assume Identity
Versions 9.5.0.0 through 9.10.1.0
CVE-2025-26330
PowerScale OneFS
Dell PowerScale OneFS multiple versions contain an incorrect authorization vulnerability where unauthenticated local attacker could potentially exploit this vulnerability to access the cluster with previous privileges of a disabled user account.
Unauthorized Access
Versions 9.4.0.0 through 9.10.0.1
CVE-2025-22471
PowerScale OneFS
Dell PowerScale OneFS multiple versions contain an integer overflow or wraparound vulnerability where an unauthenticated remote attacker exploits this which leads to denial of service.
Service unavailable
Versions 9.4.0.0 through 9.10.0.1
Remediation:
It has been recommended to upgrade to the following versions to address the security risks
OneFS Version
Updated Version
9.10.x.x
9.10.1.1
9.9.x.x
9.9.0.2
9.8.x.x
9.8.0.3
9.7.x.x
9.7.1.7
9.5.x.x
9.5.1.3
Workaround for CVE-2025-27690
It’s always recommended to update to the latest version. If you’re unable to upgrade immediately, you can follow the workarounds provided by the vendor from here.
An unverified password change vulnerability [CWE-620] in FortiSwitch GUI discovered.
This may allow a remote unauthenticated attacker to modify admin passwords via a specially crafted request as per Fortinet advisory released.
Summary
OEM
Fortinet
Severity
CRITICAL
CVSS Score
9.8
CVEs
CVE-2024-48887
Actively Exploited
Yes
Exploited in Wild
Yes
Advisory Version
1.0
Overview
Fortinet’s FortiSwitch product line has revealed a significant vulnerability noted as CVE-2024-48887. This flaw allows unauthenticated remote attackers to change administrative passwords by sending specially crafted requests to the device’s password management endpoint. With a CVSS score of 9.8, the vulnerability is classified as Critical and is actively being exploited in the wild.
Vulnerability Name
CVE ID
Product Affected
Severity
CVSS Score
A unverified password change vulnerability
CVE-2024-48887
Fortinet
CRITICAL
9.8
Technical Summary
A critical vulnerability (CVE-2024-48887) has been identified in Fortinet FortiSwitch devices, affecting versions 6.4.0 through 7.6.0. This flaw resides in the web-based management interface and allows remote, unauthenticated attackers to change administrator passwords by sending a specially crafted HTTP request to the set_password endpoint.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2024-48887
FortiSwitch v7.6, 7.4, 7.2, 7.0, 6.4
CVE-2024-48887 is an unauthenticated password change vulnerability in FortiSwitch web GUI. It enables remote unauthenticated attackers to modify admin passwords through crafted requests to the set_password endpoint.
Unverified Password Change
Remediation:
Apply Security Patches: Install the latest security update for your FortiSwitch version. Fortinet has fixed the issue in 6.4.15 and above,7.0.11 and above,7.2.9 and above,7.4.5 and above,7.6.1 and above versions.
General Recommendations
Update Devices Regularly always install the latest firmware and security patches from Fortinet to fix known vulnerabilities.
Limit access to the FortiSwitch web GUI to trusted IP addresses and disable HTTP/HTTPS access if it is not required.
Set strong and unique passwords and change them regularly to prevent unauthorized access.
Monitor unusual Activity for suspicious logins or configuration changes.
Conclusion:
The CVE-2024-48887 vulnerability poses a serious security risk to organizations using affected FortiSwitch devices. Its ease of exploitation and the lack of authentication required make it particularly dangerous.
Organizations must act immediately by applying the relevant security patches, limiting administrative access, and monitoring for unusual activity.
Microsoft released April 2025 Patch Tuesday, addressed 135 security vulnerabilities, including a critical zero-day vulnerability (CVE-2025-29824) already being actively exploited.
126 Microsoft CVEs addressed
9 non-Microsoft CVEs included
Microsoft April Patch Tuesday is released every month on priority basis so that organization can address the vulnerabilities as advised by security analysts
OEM
Microsoft
Severity
Critical
Date of Announcement
2025-04-08
No. of Vulnerabilities Patched
135
Actively Exploited
Yes
Exploited in Wild
Yes
Advisory Version
1.0
Overview
Key updates focus on core Windows components like the CLFS driver, Windows Kernel, and multiple remote code execution (RCE) vulnerabilities across many services including Remote Desktop Gateway, LDap, and TCP/IP.
The update addresses both Microsoft and non-Microsoft vulnerabilities, with a significant emphasis on fixing issues that allow attackers to elevate privileges, execute remote code, or bypass security features.
On a similar note publication of 11 critical remote code execution (RCE) vulnerabilities. 13 browser vulnerabilities have already been published separately this month, and are not included in the total.
Vulnerability Name
CVE ID
Product Affected
Severity
CVSS Score
Microsoft Windows CLFS Driver Use-After-Free Vulnerability [zero-day vulnerability]
CVE-2025-29824
Windows
High
7.8
Remote Desktop Gateway Service RCE Vulnerability
CVE-2025-27480 CVE-2025-27482
Windows
High
8.1
LDAP Service RCE Vulnerability
CVE-2025-26663
Windows
High
8.1
LDAP Client RCE Vulnerability
CVE-2025-26670
Windows
High
8.1
Technical Summary
The April 2025 update fixes several high-severity vulnerabilities in Microsoft products, here are some vulnerabilities details:
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-29824
Windows 10/11, Windows Server
An elevation of privilege vulnerability in the Windows Kernel caused by improper object access. Attackers with local access could exploit this to gain SYSTEM privileges.
These vulnerabilities allow attackers to execute arbitrary code remotely by exploiting use-after-free conditions when opening malicious Office files, potentially leading to system compromise.
An attacker could bypass security features via improper neutralization in the Microsoft Management Console, leading to remote code execution and potential full system compromise.
CVE-2025-29791 – Excel Type Confusion RCE Vulnerability
This vulnerability allows local attackers to exploit improper logging in NTFS, potentially granting unauthorized access to sensitive memory areas, which could lead to arbitrary code execution.
CVE-2025-26686 – Windows TCP/IP RCE Vulnerability
Memory mismanagement during DHCPv6 handling could allow remote attackers to execute arbitrary code, requiring a complex exploit chain to be effective.
CVE-2025-27491 – Windows Hyper-V RCE Vulnerability
This vulnerability can be exploited by guest users through social engineering, enabling remote code execution on the host system, with a high complexity for successful exploitation.
Remediation:
Apply Patches Promptly: Install the April 2025 security updates immediately to mitigate risks.
General Recommendations:
Prioritize Zero-Day & Critical Vulnerabilities: Focus on patching actively exploited vulnerabilities, especially those affecting Windows CLFS, RDS, LDAP, Excel, and SharePoint-related CVEs.
Secure File System Access: Implement security controls to prevent unauthorized access to NTFS and FAT file systems, particularly against USB-based attack vectors.
Educate Employees: Train users in phishing risks to reduce the chances of executing malicious Microsoft Access files.
Monitor for Exploitation: Continuously monitor systems for any signs of exploitation or suspicious activity.
“Microsoft highly recommends that organizations prioritize applying security updates for elevation of privilege vulnerabilities to add a layer of defense against ransomware attacks if threat actors are able to gain an initial foothold,” the company said in a blog post.
Conclusion:
The April 2025 Patch Tuesday release underscores the critical need for timely patching of Microsoft systems to protect against actively exploited vulnerabilities, including a zero-day privilege escalation flaw.
Microsoft has addressed multiple high-severity vulnerabilities, many of which could result in remote code execution, unauthorized system access, or privilege escalation.
IT teams and users are urged to promptly install the security updates and implement recommended security controls to mitigate these risks. As these vulnerabilities are actively exploited, immediate action is crucial to safeguarding systems from potential compromise.
Be careful when you open that file in whatapp, it might have that spoofing flaw allowing Arbitrary Code Execution (CVE-2025-30401) and affects all versions of WhatsApp Desktop for Windows prior to 2.2450.6, and stems from a bug .
Overview
The vulnerability has been fixed in version 2.2450.6. WhatsApp has and will always be an attractive field for attackers and this particular bug does require user interaction – the victim has to manually open the malicious attachment for the payload to run.
Vulnerability Name
CVE ID
Product Affected
Severity
Fixed Version
Spoofing Vulnerability
CVE-2025-30401
WhatsApp Desktop for Windows
Medium
2.2450.6
Technical Summary
The vulnerability results from WhatsApp for Windows’s different handling of attachments. It opens files depending on their filename extension while displaying files based on their MIME type. This mismatch allows attackers to spoof file types and trick users into launching malicious executables.
Example Scenario:
An attacker sends a file named cat.jpg.exe with a MIME type of image/jpeg. WhatsApp displays the file as an image (because of the MIME type), misleading the user. If the user manually opens the attachment from within WhatsApp, Windows uses the .exe extension to execute the file — potentially launching malicious code.
This form of UI spoofing can be especially effective in group chats, where malicious attachments may be distributed widely and appear harmless.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-30401
WhatsApp Desktop for Windows (<2.2450.6)
MIME type used for display, but file extension used for execution.
A mismatch between the two could allow a file to appear harmless (e.g., image), while actually being executable (e.g., .exe).
Remote Arbitrary code execution
Remediation:
Official Patch Available: The vulnerability has been resolved by Meta (formerly Facebook). Users should update WhatsApp for Windows to version 2.2450.6 or latest version.
Conclusion:
CVE-2025-30401 is a key example of how inconsistent file processing in the user interface can result in serious security threats. Attackers can create misleading payloads that can run arbitrary code by taking advantage of users’ faith in how apps display attachments.
Due to the possibility of remote exploitation, users should update to the latest WhatsApp version 2.2450.6 or later. Patching should be done right away to avoid any compromise.
Threat researchers discovered an arbitrary File Upload vulnerability and an Arbitrary File Deletion vulnerability within the WP Ultimate CSV Importer plugin. This is affecting versions 7.19 and earlier.
The vulnerabilities have been addressed in version 7.19.1 of the plugin.
Summary
OEM
WordPress
Severity
High
CVSS Score
8.8
CVEs
CVE-2025-2008, CVE- 2025-2007
Actively Exploited
Yes
Exploited in Wild
Yes
Advisory Version
1.0
Overview
The security flaw WordPress plugin, Ultimate CSV Importer, affecting over 20,000 websites. The vulnerabilities, identified as CVE-2025-2008 and CVE-2025-2007, can lead to catastrophic consequences, including complete site compromise.
Vulnerability Name
CVE ID
Product Affected
Severity
CVSS Score
Arbitrary File Upload
CVE-2025-2008
WordPress
High
8.8
Arbitrary File Deletion
CVE-2025-2007
WordPress
High
8.1
Technical Summary
A critical security vulnerability has been discovered in the WP Ultimate CSV Importer plugin (versions ≤ v7.19). This flaw allows attackers with only Subscriber level access to exploit the system in two dangerous ways:
Malicious File Upload: Attackers can upload malicious files, potentially enabling remote code execution and granting full control over the affected site. This allows for complete site compromise, including the ability to install backdoors or steal sensitive information.
Critical File Deletion: Attackers can delete crucial files, such as wp-config.php, which can reset the WordPress site and give attackers the ability to take full control over the site.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-2008
WP Ultimate CSV Importer plugin (versions ≤ 7.19)
A critical flaw in the WP Ultimate CSV Importer plugin (≤ v7.19) allows attackers with Subscriber access to upload malicious files due to improper file type validation. This can lead to remote code execution (RCE) and full site takeover.
Remote code execution (RCE)
CVE-2025-2007
WP Ultimate CSV Importer plugin (versions ≤ 7.19)
A serious flaw in the WP Ultimate CSV Importer plugin (≤ v7.19) allows attackers with Subscriber access to delete critical files, like wp-config.php, due to weak file path validation. This can reset the site, letting attackers take control.
Arbitrary file deletion leading to site reset
Remediation:
Install version 7.19.1 or later to fix the security flaws. Keeping all plugins and WordPress updated helps prevent attacks.
General Recommendations
Update the Plugin – Install the latest version (7.19.1+) to fix security issues and keep your site safe.
Limit User Access – Allow only trusted users to upload or delete files to prevent hackers from exploiting vulnerabilities.
Use Security Plugins – Install tools to block threats, monitor activity, and protect your site.
Backup Your Website – Regularly save backups so you can restore your site if it gets hacked or files are deleted.
Conclusion:
A major security issue in a popular WordPress plugin put over 20,000 websites at risk of being taken over by hackers.
Attackers could upload harmful files or delete important ones, making websites vulnerable. This incident shows why keeping plugins updated, limiting user access, and using security tools is crucial. Updating to version 7.19.1 is necessary to stay protected.
3 Zero-Day Vulnerabilities backported & fixed in Apple Devices
Apple backported fixes for three vulnerabilities that have come under active exploitation in the wild to older models and previous versions of the operating systems.
OEM
Apple
Severity
High
CVSS Score
8.8
CVEs
CVE-2025-24201, CVE-2025-24085, and CVE-2025-24200.
No. of Vulnerabilities Patched
03
Actively Exploited
Yes
Exploited in Wild
Yes
Advisory Version
1.0
Overview
Apple has released an urgent security advisory concerning three zero-day vulnerabilities currently being actively exploited: CVE-2025-24200, CVE-2025-24201, and CVE-2025-24085. These vulnerabilities affect a range of Apple devices, such as iPhones, iPads, Macs, and other platforms. Users are strongly urged to update to the latest patched versions to reduce security risks.
Vulnerability Name
CVE ID
Product Affected
Severity
CVSS Score
WebKit Out-of-Bounds Write Vulnerability
CVE-2025-24201
iOS, macOS, visionOS, Safari
High
8.8
Use-After-Free Vulnerability
CVE-2025-24085
iOS, iPasOS, macOS, watchOS, tvOS
High
7.8
Incorrect Authorization Vulnerability
CVE-2025-24200
iOS, iPadOS
Medium
6.1
Technical Summary
Apple’s latest security update patches three Zero-Day vulnerabilities that hackers were actively exploiting. These vulnerabilities could allow attackers to bypass security protections, making devices more vulnerable. One of the vulnerabilities enables remote code execution, letting attackers run malicious programs. Another flaw allows privilege escalation, giving attackers higher-level access to system functions.
Use-after-free vulnerability in CoreMedia allowing privilege escalation via malicious apps.
Privilege escalation via CoreMedia
CVE-2025-24200
iOS 18.3.1, iPadOS 18.3.1, iPadOS 17.7.5 (iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch, etc.)
Authorization bypass vulnerability allowing attackers to disable USB Restricted Mode on locked devices.
Security Bypass USB Restricted Mode
Remediation:
Apply Patches Promptly: Apple has released security updates to address these vulnerabilities. Users should update their devices immediately to mitigate risks
iPhones and iPads: Update to iOS 18.3/iPadOS 18.3 or later.
Macs: Install macOS Sequoia 15.3 or later.
Apple Watch: Upgrade to watchOS 11.3.
Apple TV: Apply tvOS 18.3 updates.
Vision Pro: Install visionOS 2.3 updates.
General Recommendations:
Prioritize Zero-Day Fixes: Focus on patching actively exploited vulnerabilities, especially those affecting USB Restricted Mode, WebKit, and CoreMedia.
Enable Lockdown Mode: On supported devices, Lockdown Mode can provide additional security against targeted attacks.
Be Cautious with USB Devices: Avoid connecting untrusted accessories to Apple devices to mitigate USB-based attack vectors.
Stay Alert for Malicious Websites: Since WebKit vulnerabilities are actively exploited, avoid suspicious links and untrusted web content.
Monitor for Exploitation: Continuously monitor systems for any signs of exploitation or suspicious activity.
Conclusion:
The discovery and active exploitation of these zero-day vulnerabilities underscore the increasing sophistication of cyberattacks targeting Apple’s ecosystem.
While Apple has responded swiftly with patches, users must remain vigilant by keeping their devices updated and adhering to cybersecurity best practices, such as avoiding untrusted applications and enabling Lockdown Mode where applicable.
Apple fixed all the vulnerability with improved state management.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory regarding the critical zero-day vulnerability, CVE-2025-2783, in Google Chrome and other Chromium-based browsers on Windows. This vulnerability is actively exploited in the wild and has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, urged immediate patching to prevent security breaches and unauthorized system access.
Vulnerability Name
CVE ID
Product Affected
Severity
Fixed Version
Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2025-2783
Google Chrome
High
134.0.6998.117/.118
Technical Summary
This high-severity vulnerability found in the Mojo framework of Chromium-based browsers including Google Chrome, Microsoft Edge, and Opera, Brave etc. The vulnerability originates from a logic error that results in an incorrect handle being provided under certain conditions. This flaw allows attackers to bypass Chrome’s sandbox protections and potentially execute arbitrary code on the affected system.
Security researchers from Kaspersky discovered this zero-day vulnerability as part of an advanced cyber-espionage campaign dubbed “Operation ForumTroll.” The attack campaign targeted media outlets, educational institutions, and government organizations in Russia through highly personalized phishing emails.
The exploit chain is particularly dangerous because it requires minimal user interaction. Victims only need to click on a malicious link in a phishing email, after which the attack executes automatically without any additional action from the user. Once triggered, the exploit allows attackers to escape Chrome’s sandbox environment, leading to remote code execution and possible system compromise.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-2783
Google Chrome (Windows)
Incorrect handle provided in Mojo, allowing sandbox escape
Remote code execution, System Compromise
Remediation:
Google Chrome Patch Released: Google has released security updates in Chrome versions 134.0.6998.177/.178 to address this vulnerability. Users should update immediately.
General Recommendations:
Enable Automatic Updates: Ensure automatic updates are enabled in Google Chrome and other Chromium-based browsers to receive future security patches promptly.
Phishing Awareness Training: Organizations should educate employees on identifying and avoiding phishing emails to prevent exploitation.
Endpoint Security Measures: Deploy endpoint detection and response (EDR) solutions to monitor and mitigate potential threats.
CISA Compliance for Federal Agencies: Federal agencies must adhere to CISA’s Binding Operational Directive (BOD) 22-01 to address known exploited vulnerabilities promptly.
Conclusion:
The exploitation of CVE-2025-2783 demonstrates the ongoing threat posed by sophisticated cyber-espionage activities. Google has responded swiftly with a patch, and users are strongly advised to update their browsers immediately. Organizations should remain vigilant against phishing attempts and enhance their cybersecurity posture to mitigate similar threats in the future.
A newly discovered NTLM vulnerability in Windows, allows attackers to obtain login credentials when a user view a malicious file in Windows Explorer. This issue affects all Windows versions, from Windows 7 and Server 2008 R2 to the most recent Windows 11 v24H2 and Server 2025.
Attackers can exploit this flaw by using shared network folders, USB drives, or previously downloaded malicious files, making credential theft easy and difficult to detect.
Vulnerability Name
CVE ID
Product Affected
Severity
Fix
NTLM Hash Disclosure Vulnerability
Not Yet Assigned
Windows OS and Windows Server
High
Unofficial micropatch available via 0patch
Technical Summary
This vulnerability enables attackers to steal NTLM authentication credentials simply by having users view a malicious file in Windows Explorer. Unlike previous NTLM relay attack techniques that required users to execute files, this exploit works just by rendering the malicious file’s metadata in the Windows Explorer preview pane. Attackers can leverage this method in various ways:
Hosting a shared network folder containing the malicious file.
Distributing infected USB drives that trigger the attack when inserted.
Tricking users into downloading the malicious file from a compromised or attacker-controlled website.
Once the credentials are captured, attackers can use NTLM relay attacks to gain unauthorized access to internal systems, escalate privileges, and move laterally across the network.
CVE ID
System Affected
Vulnerability Technical Details
Impact
Not Assigned Yet
Windows 7 – Windows 11 v24H2, Server 2008 R2 – Server 2025
Attackers can capture NTLM credentials when users view malicious files in Windows Explorer. Exploitation methods include shared folders, USB drives, or downloads.
Credential theft, network compromise, and potential lateral movement.
Recommendations
Microsoft Patch Awaited: The vulnerability has been reported to Microsoft, and an official security update is expected in the near future.
Unofficial Micropatch Available: Security researchers at 0patch have released an unofficial micropatch that mitigates this issue. The micropatch is available for all affected Windows versions and will remain free until an official fix is provided by Microsoft.
Steps to Apply 0patch Micropatch:
Create a free account on 0patch Central.
Install and register the 0patch Agent on affected systems.
The micropatch is applied automatically without requiring a system reboot.
Security Best Practices
Disable NTLM authentication where possible.
Implement SMB signing to prevent relay attacks.
Restrict access to public-facing servers like Exchange to limit credential relaying risks.
Educate users to avoid interacting with unknown or suspicious files in shared folders and USB drives.
Conclusion
Although not classified as critical, this NTLM credential theft vulnerability is extremely harmful due to its ease of exploitation. Attackers can exploit NTLM hashes in relay attacks to compromise internal network resources.
Security researchers confirm that comparable flaws have been actively exploited in real-world assaults. Until an official Microsoft patch is available, organizations should prioritize applying the 0patch micropatch and following NTLM security best practices to reduce potential risks.
The Kubernetes Ingress NGINX Admission Controller has detected 5 significant security vulnerabilities affecting all versions of the ingress-nginx controller prior to v1.12.1 and v1.11.5. Here are the cve ids CVE-2025-1974, CVE-2025-1098, CVE-2025-1097, CVE-2025-24514, and CVE-2025-24513.
Maintainer
Kubernetes ingress community
Severity
Critical
CVSS Score
9.8
No. of Vulnerabilities Patched
05
Actively Exploited
No
Exploited in Wild
No
Patch Available
Yes
Advisory Version
1.0
Overview
Admission Controllers frequently don’t require authentication and essentially function as web servers, introducing an additional internal network-accessible endpoint in the cluster. This architecture allows attackers to access them directly from any pod in the network, significantly increasing the attack surface.
The most critical of these, CVE-2025-1974, allows attackers on the pod network to remotely execute code and gain full control of the cluster without authentication.
Although there has not been any active exploitation in the wild, this vulnerability poses a serious risk as it could enable attackers to take complete control of a cluster.
The issue was publicly disclosed on March 24, 2025, and security patches have been released.
Configuration Injection via Unsanitized auth-tls-match-cn annotation
CVE-2025-1097
High
8.8
Configuration Injection via Unsanitized Mirror Annotations
CVE-2025-1098
High
8.8
Unsanitized auth-URL Injection Vulnerability
CVE-2025-24514
High
8.8
Auth Secret File Path Traversal Vulnerability
CVE-2025-24513
Medium
4.8
Technical Summary
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-1974
Ingress NGINX Controller v1.12.0 & v1.11.4 and below versions
The Validating Admission Controller does not properly check incoming annotations, allowing attackers on the Pod network to inject configurations and potentially execute arbitrary code across the entire cluster.
Full Kubernetes cluster compromise
CVE-2025-1097
Improper validation of the auth-tls-match-cn annotation allows malicious annotation values to override controller configurations.
Remote code execution
CVE-2025-1098
Unsafe input handling in mirror annotations could result in unauthorized configuration manipulation.
Config injection, security bypass
CVE-2025-24514
Unsanitized input from auth-URL annotations can allow malicious URLs to modify ingress-controller behavior.
Remote code execution
CVE-2025-24513
A path traversal issue in handling auth secret files could let attackers access sensitive information.
Information disclosure
Remediation:
Apply Patches Promptly: Immediately upgrade to ingress-nginx v1.12.1, v1.11.5 or latest versions to mitigate the vulnerabilities.
Temporarily Disable the Validating Admission Controller: It is mandatory to upgrade. If upgrading is not immediately possible, you can temporarily disable the Validating Admission Controller.
General Recommendations:
Set strict RBAC rules to control who can change ingress and webhook settings.
Disable dynamic admission controllers if they aren’t needed.
Monitor cluster audit logs for unusual ingress creation activities and suspicious annotations.
Conduct security reviews and scans for clusters that have not recently been updated.
Regularly check ingredients for weak or unsafe configurations.
Conclusion:
The Kubernetes ingress-nginx vulnerabilities disclosed in March 2025 are among the most severe to date, with CVE-2025-1974 posing a real threat of full cluster compromise. All organizations running affected versions must apply patches or mitigation steps immediately.
The vulnerabilities found are affecting the admission controller component of Ingress NGINX Controller for Kubernetes and highlight the importance of strict configuration validation and access control in Kubernetes environments.
Security researchers from Wiz found that 43% of cloud environments are vulnerable to these vulnerabilities. They uncovered over 6,500 clusters, including Fortune 500 companies, that publicly expose vulnerable Kubernetes ingress controllers’ admission controllers to the public internet—putting them at immediate critical risk.
