Vulnerabilities

Critical NGINX Ingress Vulnerabilities Expose Kubernetes Clusters to Compromise 

Security Advisory

Summary:

The Kubernetes Ingress NGINX Admission Controller has detected 5 significant security vulnerabilities affecting all versions of the ingress-nginx controller prior to v1.12.1 and v1.11.5. Here are the cve ids CVE-2025-1974, CVE-2025-1098, CVE-2025-1097, CVE-2025-24514, and CVE-2025-24513.

Maintainer Kubernetes ingress community 
Severity Critical 
CVSS Score 9.8 
No. of Vulnerabilities Patched 05 
Actively Exploited No 
Exploited in Wild No 
Patch Available Yes 
Advisory Version 1.0 

Overview 

Admission Controllers frequently don’t require authentication and essentially function as web servers, introducing an additional internal network-accessible endpoint in the cluster. This architecture allows attackers to access them directly from any pod in the network, significantly increasing the attack surface.

The most critical of these, CVE-2025-1974, allows attackers on the pod network to remotely execute code and gain full control of the cluster without authentication. 

Although there has not been any active exploitation in the wild, this vulnerability poses a serious risk as it could enable attackers to take complete control of a cluster.

The issue was publicly disclosed on March 24, 2025, and security patches have been released. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Admission Controller Remote Code Execution (RCE) Vulnerability  CVE-2025-1974      Ingress NGINX Admission Controller   Critical 9.8 
Configuration Injection via Unsanitized auth-tls-match-cn annotation  CVE-2025-1097 High 8.8 
Configuration Injection via Unsanitized Mirror Annotations  CVE-2025-1098 High 8.8 
Unsanitized auth-URL Injection Vulnerability  CVE-2025-24514 High 8.8 
Auth Secret File Path Traversal Vulnerability  CVE-2025-24513 Medium 4.8 

Technical Summary 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-1974         Ingress NGINX Controller v1.12.0 & v1.11.4 and below versions The Validating Admission Controller does not properly check incoming annotations, allowing attackers on the Pod network to inject configurations and potentially execute arbitrary code across the entire cluster.   Full Kubernetes cluster compromise 
  CVE-2025-1097 Improper validation of the auth-tls-match-cn annotation allows malicious annotation values to override controller configurations.  Remote code execution 
  CVE-2025-1098 Unsafe input handling in mirror annotations could result in unauthorized configuration manipulation.  Config injection, security bypass 
  CVE-2025-24514 Unsanitized input from auth-URL annotations can allow malicious URLs to modify ingress-controller behavior.  Remote code execution 
  CVE-2025-24513 A path traversal issue in handling auth secret files could let attackers access sensitive information.   Information disclosure 

Remediation

  • Apply Patches Promptly: Immediately upgrade to ingress-nginx v1.12.1, v1.11.5 or latest versions to mitigate the vulnerabilities. 
  • Temporarily Disable the Validating Admission Controller: It is mandatory to upgrade. If upgrading is not immediately possible, you can temporarily disable the Validating Admission Controller. 

General Recommendations: 

  • Set strict RBAC rules to control who can change ingress and webhook settings. 
  • Disable dynamic admission controllers if they aren’t needed. 
  • Monitor cluster audit logs for unusual ingress creation activities and suspicious annotations. 
  • Conduct security reviews and scans for clusters that have not recently been updated. 
  • Regularly check ingredients for weak or unsafe configurations. 

Conclusion: 

The Kubernetes ingress-nginx vulnerabilities disclosed in March 2025 are among the most severe to date, with CVE-2025-1974 posing a real threat of full cluster compromise. All organizations running affected versions must apply patches or mitigation steps immediately.

The vulnerabilities found are affecting the admission controller component of Ingress NGINX Controller for Kubernetes and highlight the importance of strict configuration validation and access control in Kubernetes environments. 

Security researchers from Wiz found that 43% of cloud environments are vulnerable to these vulnerabilities. They uncovered over 6,500 clusters, including Fortune 500 companies, that publicly expose vulnerable Kubernetes ingress controllers’ admission controllers to the public internet—putting them at immediate critical risk. 

References

Critical Security Updates: Microsoft Jan 2025 Patch Tuesday Fixes 8 Zero-Days & 159 Vulnerabilities 

Summary 

Microsoft has released its January 2025 Patch Tuesday updates, delivering critical fixes. Key products impacted include Windows Telephony Service, Windows Digital Media, and MSMQ, among others.

Key take away:

  • Microsoft addressed 159 vulnerabilities across multiple products, including eight zero-day flaws, with three actively exploited in the January 2025 Patch Tuesday updates.
  • Key vulnerabilities include privilege escalation flaws in Hyper-V and remote code execution bugs in Microsoft Excel.
  • This marks highest number of fixes in a single month since at least 2017.
OEM Microsoft 
Severity Critical 
Date of Announcement 2025-01-14 
No. of Vulnerabilities Patched 159 
Actively Exploited yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

Critical updates were issued for Windows Hyper-V, Windows Themes, Microsoft Access, and Windows App Package Installer. The vulnerabilities include elevation of privilege, remote code execution, and spoofing attacks, impacting various systems. The patch targets a range of critical issues across Microsoft products, categorized as follows: 

  • 58 Remote Code Execution (RCE) Vulnerabilities 
  • 40 Elevation of Privilege (EoP) Vulnerabilities 
  • 22 Information Disclosure Vulnerabilities 
  • 20 Denial of Service (DoS) Vulnerabilities 
  • 14 Security Feature Bypass 
  • 5 Spoofing Vulnerabilities 

The highlighted vulnerabilities include 8 zero-day flaws, 3 of which are currently being actively exploited. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Elevation of privilege vulnerability  CVE-2025-21333CVE-2025-21334CVE-2025-21335 Windows High 7.8 
Elevation of Privilege Vulnerability CVE-2025-21275 Windows High 7.8 
Remote Code Execution Vulnerability CVE-2025-21186,CVE-2025-21366, CVE-2025-21395 Windows High 7.8 
Spoofing Vulnerability CVE-2025-21308 Windows Medium 6.5 

Technical Summary 

CVE ID System Affected Vulnerability Details Impact 
 CVE-2025-21333CVE-2025-21334CVE-2025-21335  Windows Hyper-V NT Kernel No information has been released on how elevation of privilege vulnerabilities in Windows Hyper-V NT Kernel Integration VSP, which allow attackers to gain SYSTEM privileges, were exploited in attacks, as they were disclosed anonymously.    Allow attackers to gain SYSTEM privileges 
  CVE-2025-21275  Windows App Package Installer Elevation of privilege vulnerability in the Windows App Package Installer, potentially leading to SYSTEM privileges.   Attackers could gain SYSTEM privileges 
 CVE-2025-21186,CVE-2025-21366, CVE-2025-21395   Microsoft Access  Remote code execution vulnerabilities in Microsoft Access, exploitable via specially crafted Access documents.   Remote Code Execution 
 CVE-2025-21308   Windows Themes Spoofing vulnerability in Windows Themes; viewing a specially crafted theme file in Windows Explorer can lead to NTLM credential theft.   NTLM credential theft 

Source:  Microsoft       

Additional Critical Patches Address High-Severity Vulnerabilities 

  • Eight of this month’s patches address Virtual Secure Mode components, requiring administrators to follow Microsoft’s guidance for updating virtualization-based security (VBS) issues. (CVE-2025-21280, CVE-2025-21284, CVE-2025-21299, CVE-2025-21321, CVE-2025-21331, CVE-2025-21336, CVE-2025-21340, CVE-2025-21370). 
  • Windows NTLM V1 Elevation of Privilege Vulnerability (CVE-2025-21311). 
  • Windows OLE Remote Code Execution Vulnerability (CVE-2025-21298). 

Remediation

  • Apply Updates: Immediately install the January 2025 Patch Tuesday updates to address these vulnerabilities. 
  • Disable NTLM: For CVE-2025-21308, consider disabling NTLM or enabling the “Restrict NTLM: Outgoing NTLM traffic to remote servers” policy to mitigate the risk.  
  • Exercise Caution with Untrusted Files: Avoid opening or interacting with files from untrusted sources, especially those with extensions associated with Microsoft Access. 

Conclusion: 

The January 2025 Patch Tuesday release addresses critical vulnerabilities that could allow attackers to gain elevated privileges, execute arbitrary code, or steal credentials. Prompt application of these updates is essential to maintain system security. Additionally, implementing recommended mitigations, such as disabling NTLM, can provide further protection against potential exploits. 

References

https://msrc.microsoft.com/update-guide/releaseNote/2025-Jan

Scroll to top