VulnerabilityManagement

Linux Kernel Exploitation in ksmbd (CVE-2025-37899) Discovered with AI Assistance

Summary: A high-severity use-after-free vulnerability (CVE-2025-37899) has been discovered in the ksmbd component of the Linux kernel, which implements the SMB3 protocol for file sharing.

OEMLinux
SeverityHigh
CVSS ScoreN/A
CVEsCVE-2025-37899
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview

The vulnerability, confirmed on May 20, 2025 which was uncovered through AI-assisted code analysis using OpenAI’s o3 model. It affects multiple versions of the Linux kernel and may lead to arbitrary code execution with kernel privileges. As of now, no official fix is available, but Linux distributions including SUSE team are actively working on patches.

Vulnerability NameCVE IDProduct AffectedSeverity
​ksmbd use-after-free vulnerability  CVE-2025-37899Linux kernel  High

Technical Summary

The vulnerability lies in the ksmbd kernel server component responsible for SMB3 protocol handling.

A use-after-free bug occurs when one thread processes a logoff command and frees the sess->user object, while another thread bound to the same session attempts to access the same object simultaneously. This results in a race condition that can lead to memory corruption and potentially enable attackers to execute arbitrary code with kernel privileges.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-37899  Linux kernel (ksmbd)A race condition during handling of SMB2 LOGOFF commands. sess->user is freed in one thread while still being accessed in another, leading to a classic use-after-free vulnerability. The absence of synchronization around sess->user allows attackers to exploit the freed memory during concurrent SMB operations.  Kernel memory corruption, privilege escalation, remote code execution

Remediation:

  • Fix status: As of now, an official fix has not been released. Linux distributions, including SUSE, are actively developing and testing patches.

General Recommendations

  • Monitor your distribution’s security advisories and apply patches as soon as they are available.
  • Consider disabling or restricting ksmbd (in-kernel SMB3 server) if not explicitly required.
  • Use firewall rules to restrict access to SMB services to trusted networks.
  • Employ kernel hardening options (e.g. memory protections, SELinux/AppArmor policies).
  • Audit SMB traffic for signs of abnormal session setup and teardown behavior.

Conclusion:
CVE-2025-37899 highlights the increasing role of AI in modern vulnerability discovery and the complex nature of concurrency bugs in kernel components. While no fix is yet available, administrators should apply defense-in-depth strategies and watch for updates from their Linux vendors.

The discovery underscores the importance of rigorous code audits, especially in components exposed to network traffic and multithreaded processing.

References:

CISCO ISE & UIC Security Flaws Allow DoS, Privilege Escalation

Summary: Cisco has disclosed multiple vulnerabilities affecting its Identity Services Engine (ISE) and Unified Intelligence Center (UIC).

The ISE bug, tracked as CVE-2025-20152, impacts the RADIUS message processing feature and could be exploited remotely, without authentication, to cause ISE to reload, leading to a denial of service (DoS) condition.

OEMCISCO
SeverityHIGH
CVSS Score8.6
CVEsCVE-2025-20152, CVE-2025-20113, CVE-2025-20114
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview

This include a critical denial-of-service (DoS) vulnerability in the RADIUS protocol processing (CVE-2025-20152) and two privilege escalation flaws (CVE-2025-20113, CVE-2025-20114).

These unpatched issues, could result in network disruption and unauthorized access to sensitive data.

Vulnerability NameCVE IDProduct AffectedSeverityFixed Version
​RADIUS DoS Vulnerability  CVE-2025-20152Cisco Identity Services Engine  High  ISE 3.4 Patch 1 (3.4P1)
Privilege Escalation Vulnerability  CVE-2025-20113Unified Intelligence Center  High  UIC 12.5(1)SU ES04, 12.6(2)ES04
Privilege Escalation Vulnerability  CVE-2025-20114Unified Intelligence Center  High  UIC 12.5(1)SU ES04, 12.6(2)ES04

Technical Summary

The vulnerabilities identified in ISE and UIC products are critical and the allow an authenticated attacker to elevate their privileges to those of an administrator, for a limited set of functions on a vulnerable system by potentially accessing or manipulating unauthorized data.

Medium-severity bugs were also resolved in Webex, Webex Meetings, Secure Network Analytics Manager, Secure Network Analytics Virtual Manager, ISE, Duo, Unified Communications and Contact Center Solutions, and Unified Contact Center Enterprise (CCE).

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-20152  CISCO ISE 3.4Improper handling of malformed RADIUS authentication requests can cause a system reload.    Denial of Service (DoS), Network Disruption
      CVE-2025-20113 Unified Intelligence Center  12.5, 12.6Insufficient server-side validation in API/HTTP requests may allow an authenticated attacker to escalate privileges to Admin level for certain functions.    Privilege Escalation, Unauthorized Data Access
    CVE-2025-20114Unified Intelligence Center  12.5, 12.6Insufficient input validation in API allows IDOR attacks, enabling attackers to access data of other users.    Horizontal Privilege Escalation, Data Exposure

Remediation:

Cisco has released security updates to address these vulnerabilities:

  • For CVE-2025-20152 (Cisco ISE):

Upgrade to ISE 3.4P1 or later. No workarounds exist; RADIUS services are enabled by default, making immediate patching critical.

  • For CVE-2025-20113 and CVE-2025-20114 (UIC):

Upgrade to:

  • UIC 12.5(1)SU ES04 or later.
    • UIC 12.6(2)ES04 or later.
    • Unified CCX users should migrate to a fixed release if using affected versions.

Administrators are advised to verify product versions and apply patches through official Cisco channels.

Conclusion:
These vulnerabilities pose significant security risks especially CVE-2025-20152, which affects the core authentication protocol in many Cisco ISE deployments.

Organizations should prioritize updates to mitigate risks of denial-of-service attacks and unauthorized data access. No exploitation in the wild has been observed so far, but given the critical nature, immediate action is strongly recommended.

References:

Critical Privilege Escalation Vulnerability in Motors WordPress Theme

Summary: A critical privilege escalation vulnerability (CVE-2025-4322) has been identified in the Motors WordPress theme, a widely used premium theme tailored for car dealerships, rentals, and vehicle listings.

OEMWordPress
SeverityCritical
CVSS Score9.8
CVEsCVE-2025-4322
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview This vulnerability affects versions up to 5.6.67 and could allow unauthenticated attackers to reset passwords for any user, including administrators, leading to complete site compromise. The issue has been addressed in version 5.6.68, and immediate patching is strongly recommended.

Vulnerability NameCVE IDProduct AffectedSeverityFixed Version
​Privilege Escalation via Password Reset Bypass  CVE-2025-4322Motors WordPress Theme  Critical  5.6.68

Technical Summary

The vulnerability arises from insufficient input validation in the Login Register widget of the Motors theme, specifically within the password-recovery.php template. An attacker can manipulate the hash_check parameter using an invalid UTF-8 character, which is improperly sanitized by the esc_attr() function. This allows the attacker to bypass password reset validations and change passwords without authorization, even for administrator accounts.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-4322  Motors WordPress Theme (<= 5.6.67)The password-recovery.php file fails to properly validate whether the stm_lost_password_hash exists and is correct. If the hash is empty (e.g. – no reset was requested), an attacker can bypass the check using an invalid UTF-8 character. The esc_attr() sanitization strips the invalid character after validation, resulting in a successful hash match and unauthorized password update.  Complete site compromise.

Remediation:

  • Immediately update: To mitigate the vulnerability, users of the Motors WordPress theme should immediately update to version 5.6.68 or later.

Conclusion:
CVE-2025-4322 is a critical privilege escalation vulnerability affecting over 22,000+ WordPress sites using the Motors theme.

Exploiting this flaw, unauthenticated attackers can reset administrator passwords and gain full control of vulnerable sites. The vulnerability was responsibly disclosed and swiftly addressed by the vendor, with a patched version (5.6.68) released.

Given the ease of exploitation and potential for full site compromise, users are strongly advised to update immediately.

Organizations relying on the Motors theme should also implement multi-layered security practices, such as web application firewalls, routine patching, and access monitoring, to safeguard their digital assets against similar threats in the future.

References:

Critical Firefox 0-Day Vulnerabilities Exploited at Pwn2Own 2025 – Immediate Update Required

Summary: Mozilla Patches Two Critical Zero-Day Vulnerabilities In Firefox.

The Two critical zero-day vulnerabilities (CVE-2025-4918 and CVE-2025-4919) have been discovered in Mozilla Firefox, allowing attackers to execute malicious code through out-of-bounds memory manipulation in the JavaScript engine.

OEMMozilla
SeverityHigh
CVSS Score8.8
CVEsCVE-2025-4918, CVE-2025-4919
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview

Mozilla has released emergency security updates to address the issues.

Vulnerability NameCVE IDProduct AffectedSeverityFixed Version
​ JavaScript Promise OOB Access  CVE-2025-4918Firefox  High  Firefox 138.0.4, ESR 128.10.1, 115.23.1
Array Index Confusion  CVE-2025-4919Firefox  High  Firefox 138.0.4, ESR 128.10.1, 115.23.1

Technical Summary

The two vulnerabilities lie within the JavaScript engine of Mozilla Firefox. CVE-2025-4918 arises from improper handling of JavaScript Promise objects, leading to out-of-bounds memory access. CVE-2025-4919 involves an integer overflow during array index calculations, resulting in memory corruption.

Both vulnerabilities can be exploited by tricking users into visiting a malicious website, allowing attackers to gain code execution capabilities within the browser.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-4918  Firefox < 138.0.4, ESR < 128.10.1, < 115.23.1Improper memory boundary handling in JavaScript Promise resolution leads to out-of-bounds read/write    Remote Code Execution
    CVE-2025-4919    Firefox < 138.0.4, ESR < 128.10.1, < 115.23.1Array index miscalculation during optimization routines allows memory corruption via out-of-bounds access    Remote Code Execution

Remediation:

  • Update Firefox: Mozilla has released patched versions that fix these vulnerabilities. Users and administrators should immediately update to the latest versions:
  • Firefox 138.0.4 or later
  • Firefox ESR 128.10.1 or later
  • Firefox ESR 115.23.1 or later

Recommendations:

  • Temporary Workarounds (if immediate update is not possible):
  • Avoid visiting unfamiliar or suspicious websites.
  • Use browser security extensions to restrict or disable JavaScript execution.
  • Consider using application whitelisting or sandboxing to restrict browser-based activities.
  • Enterprise Recommendation:
  • Deploy Firefox updates across managed environments using enterprise software deployment tools.
  • Monitor threat intelligence feeds and endpoint protection logs for any signs of exploitation

Conclusion:
The vulnerabilities CVE-2025-4918 and CVE-2025-4919 pose critical risks as they can be exploited for remote code execution via malicious JavaScript. These flaws were responsibly disclosed and demonstrated at Pwn2Own 2025, a leading security research competition held in Berlin.

  • CVE-2025-4918 was discovered and demonstrated by Edouard Bochin and Tao Yan from Palo Alto Networks, involving an out-of-bounds write in the handling of JavaScript Promise objects.
  • CVE-2025-4919 was discovered by security researcher Manfred Paul, who exploited a memory corruption issue through array index manipulation.

Both researchers participated through Trend Micro’s Zero Day Initiative (ZDI), and their demonstrations earned top scores and prizes. Mozilla has responded swiftly with fixes, and users are strongly urged to update immediately.

Staying current with software patches remains a vital defense against modern web-based threats.

The updates, which cover Firefox on both desktop and Android platforms, as well as two Extended Support Releases (ESR), were issued just hours after the event concluded on Saturday—immediately following the public demonstration of the second vulnerability.

References:

High-Severity Linux Kernel Flaw Exposes Systems to Root-Level Attacks

Security advisory: Linux Kernel Flaw raised from vulnerability related to improper memory handling when the splice() function is called. Specifically, the kTLS code fails to correctly update the internal accounting of the plaintext scatter-gather buffer, leading to an out-of-bounds memory write flaw. 

OEMLinux
SeverityHigh
CVSS Score7.8
CVEsCVE-2025-21756
POC AvailableYes
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview

A high-severity vulnerability (CVE-2025-21756) has been discovered in the Linux kernel’s Virtual Socket (vsock) implementation, allowing local privilege escalation to root via a use-after-free (UAF) condition caused by incorrect reference counting during socket binding operations.

Vulnerability NameCVE IDProduct AffectedSeverityCVSS Score
​ Use-After-Free vulnerability  CVE-2025-21756Linux kernel  High  7.8

Technical Summary

The kTLS subsystem in the Linux Kernel enables direct TLS encryption and authentication functions within the kernel, supporting secure communication for protocols like HTTPS, email, and other internet-connected applications.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-21756    Linux kernel (pre-6.6.79, 6.12.16, 6.13.4, and 6.14-rc1)Improper handling of reference counts in vsock_remove_sock() leads to premature freeing of vsock objects. Attackers can exploit the Use-After- Free (UAF) by reclaiming free memory using crafted pipe buffers and leveraging unprotected tools like vsock_diag_dump() to leak kernel pointers.      Local privilege escalation to root and potential full system compromise.

CVE-2025-21756 is a use-after-free vulnerability in the Linux kernel’s vsock subsystem. It arises due to incorrect reference counter management during transport reassignment of sockets, leading to memory corruption and potential privilege escalation.

Affected systems are particularly exposed in virtualized environments where vsock is actively used.

Remediation:

  • Update Linux Kernel: Users should update their systems immediately with the latest kernel versions
  • Restrict Local Access: Until patches are applied, limit vsock use in shared environments and restrict local access where feasible.
  • Monitor for Exploitation Attempts: Watch for anomalies related to the vsock subsystem, including unexpected kernel panics or vsock socket activity.
  • Review Security Module Configurations: While AppArmor and similar LSMs offer partial protection, ensure they are enabled and correctly configured.

Conclusion:
CVE-2025-21756 poses a significant threat to Linux systems, particularly in cloud and virtualized environments. Its discovery and detailed analysis by Michael Hoefler revealed not only a critical vulnerability but also advanced exploitation techniques capable of bypassing protections like AppArmor and KASLR.

Given the existence of public proof-of-concept code and reliable attack paths, organizations must prioritize patching and mitigation to avoid root-level compromise.

References:



Critical Session Management Vulnerability in Apache Roller 

Summary Security Advisory

Apache Roller, a widely used Java-based blogging platform, enabling users to create, manage, and publish blog content. It supports features like user authentication, content management, and customizable themes.

OEM Apache 
Severity Critical 
CVSS Score 10.0 
CVEs CVE-2025-24859 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

A critical security vulnerability (CVE-2025-24859) has been discovered in Apache Roller (versions 1.0.0 to 6.1.4), where old sessions are not invalidated after a password change, allowing attackers to maintain unauthorized access if they have stolen a session token. This flaw poses a significant risk of session hijacking and unauthorized access, and users are advised to upgrade to version 6.1.5 to mitigate the issue. 

Vulnerability Name CVE ID Product Affected Severity 
Insufficient Session Expiration on Password Change CVE-2025-24859 Apache Roller Critical 

Technical Summary 

The vulnerability centers on insufficient session expiration.

When a user or administrator changes a password, Apache Roller versions before 6.1.5 do not properly invalidate existing sessions.

As a result, any session tokens  before the password change remain valid.

This means that if an attacker has already compromised a user’s credentials and established a session, they can continue to access the application even after the password is updated, effectively bypassing a key security control.

This can be a big security threat, particularly in systems used by many users or administrators, where it’s important to keep sessions secure. 

CVE ID System Affected Vulnerability Details Impact 
 CVE-2025-24859  Apache Roller 1.0.0 – 6.1.4 Sessions are not invalidated after password change, allowing persistent access through old sessions if compromised.  Unauthorized Access /  Session Hijacking 

Remediation

  • Apply Patches Promptly: Upgrade immediately to Apache Roller version 6.1.5, which implements proper centralized session invalidation. 

Conclusion: 

CVE-2025-24859 represents a critical access control threat to Apache Roller implementations.

Although no active exploitation has been observed still now, it’s easy for attackers to misuse sessions if they gain access. Its important for organizations using Apache Roller to quickly update to version 6.1.5 to fix this problem. 

This is a critical step in maintaining the security of blog sites and protecting user data.

CVE-2025-24859 highlights the importance of robust session management in web applications.

References

3 Zero-Day Vulnerabilities backported & fixed in Apple Devices

Summary 

3 Zero-Day Vulnerabilities backported & fixed in Apple Devices

Apple backported fixes for three vulnerabilities that have come under active exploitation in the wild to older models and previous versions of the operating systems.

OEM Apple 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-24201, CVE-2025-24085, and CVE-2025-24200. 
No. of Vulnerabilities Patched 03 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

Apple has released an urgent security advisory concerning three zero-day vulnerabilities currently being actively exploited: CVE-2025-24200, CVE-2025-24201, and CVE-2025-24085. These vulnerabilities affect a range of Apple devices, such as iPhones, iPads, Macs, and other platforms. Users are strongly urged to update to the latest patched versions to reduce security risks. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
WebKit Out-of-Bounds Write Vulnerability  CVE-2025-24201 iOS, macOS, visionOS, Safari  High  8.8 
Use-After-Free Vulnerability  CVE-2025-24085 iOS, iPasOS, macOS, watchOS, tvOS  High  7.8 
Incorrect Authorization Vulnerability  CVE-2025-24200  iOS, iPadOS  Medium  6.1 

Technical Summary 

Apple’s latest security update patches three Zero-Day vulnerabilities that hackers were actively exploiting. These vulnerabilities could allow attackers to bypass security protections, making devices more vulnerable. One of the vulnerabilities enables remote code execution, letting attackers run malicious programs. Another flaw allows privilege escalation, giving attackers higher-level access to system functions. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-24201  iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, visionOS 2.3.2, Safari 18.3  Out-of-bounds write issue allowing malicious websites to escape the Web Content sandbox   Remote Code Execution 
 CVE-2025-24085 iOS 18.3, iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, tvOS 18.3, visionOS 2.3 Use-after-free vulnerability in CoreMedia allowing privilege escalation via malicious apps.  Privilege escalation via CoreMedia 
 CVE-2025-24200  iOS 18.3.1, iPadOS 18.3.1, iPadOS 17.7.5 (iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch, etc.) Authorization bypass vulnerability allowing attackers to disable USB Restricted Mode on locked devices.  Security Bypass USB Restricted Mode 

Remediation

Apply Patches Promptly: Apple has released security updates to address these vulnerabilities. Users should update their devices immediately to mitigate risks 

  • iPhones and iPads: Update to iOS 18.3/iPadOS 18.3 or later. 
  • Macs: Install macOS Sequoia 15.3 or later. 
  • Apple Watch: Upgrade to watchOS 11.3. 
  • Apple TV: Apply tvOS 18.3 updates. 
  • Vision Pro: Install visionOS 2.3 updates. 

General Recommendations: 

  • Prioritize Zero-Day Fixes: Focus on patching actively exploited vulnerabilities, especially those affecting USB Restricted Mode, WebKit, and CoreMedia.  
  • Enable Lockdown Mode: On supported devices, Lockdown Mode can provide additional security against targeted attacks.  
  • Be Cautious with USB Devices: Avoid connecting untrusted accessories to Apple devices to mitigate USB-based attack vectors. 
  • Stay Alert for Malicious Websites: Since WebKit vulnerabilities are actively exploited, avoid suspicious links and untrusted web content. 
  • Monitor for Exploitation: Continuously monitor systems for any signs of exploitation or suspicious activity. 

Conclusion: 

The discovery and active exploitation of these zero-day vulnerabilities underscore the increasing sophistication of cyberattacks targeting Apple’s ecosystem.

While Apple has responded swiftly with patches, users must remain vigilant by keeping their devices updated and adhering to cybersecurity best practices, such as avoiding untrusted applications and enabling Lockdown Mode where applicable. 

Apple fixed all the vulnerability with improved state management.

References


 

Windows Zero-Day Exploit NTLM Hash Disclosure via Malicious Files

Summary

OEMMicrosoft
SeverityHigh
CVEsNot Yet Assigned
Exploited in WildNo
Patch/Remediation AvailableNo
Advisory Version1.0
Vulnerability Zero-Day

Overview

A newly discovered NTLM vulnerability in Windows, allows attackers to obtain login credentials when a user view a malicious file in Windows Explorer. This issue affects all Windows versions, from Windows 7 and Server 2008 R2 to the most recent Windows 11 v24H2 and Server 2025.

Attackers can exploit this flaw by using shared network folders, USB drives, or previously downloaded malicious files, making credential theft easy and difficult to detect.

Vulnerability NameCVE IDProduct AffectedSeverityFix
             NTLM Hash Disclosure Vulnerability      Not Yet Assigned    Windows OS and Windows Server         High  Unofficial micropatch available via 0patch

Technical Summary

This vulnerability enables attackers to steal NTLM authentication credentials simply by having users view a malicious file in Windows Explorer. Unlike previous NTLM relay attack techniques that required users to execute files, this exploit works just by rendering the malicious file’s metadata in the Windows Explorer preview pane. Attackers can leverage this method in various ways:

  • Hosting a shared network folder containing the malicious file.
  • Distributing infected USB drives that trigger the attack when inserted.
  • Tricking users into downloading the malicious file from a compromised or attacker-controlled website.

Once the credentials are captured, attackers can use NTLM relay attacks to gain unauthorized access to internal systems, escalate privileges, and move laterally across the network.

CVE IDSystem AffectedVulnerability Technical DetailsImpact
  Not Assigned Yet  Windows 7 – Windows 11 v24H2, Server 2008 R2 – Server 2025Attackers can capture NTLM credentials when users view malicious files in Windows Explorer. Exploitation methods include shared folders, USB drives, or downloads.Credential theft, network compromise, and potential lateral movement.  

Recommendations

  • Microsoft Patch Awaited: The vulnerability has been reported to Microsoft, and an official security update is expected in the near future.
  • Unofficial Micropatch Available: Security researchers at 0patch have released an unofficial micropatch that mitigates this issue. The micropatch is available for all affected Windows versions and will remain free until an official fix is provided by Microsoft.

Steps to Apply 0patch Micropatch:

  1. Create a free account on 0patch Central.
  2. Install and register the 0patch Agent on affected systems.
  3. The micropatch is applied automatically without requiring a system reboot.

Security Best Practices

  • Disable NTLM authentication where possible.
  • Implement SMB signing to prevent relay attacks.
  • Restrict access to public-facing servers like Exchange to limit credential relaying risks.
  • Educate users to avoid interacting with unknown or suspicious files in shared folders and USB drives.

Conclusion

Although not classified as critical, this NTLM credential theft vulnerability is extremely harmful due to its ease of exploitation. Attackers can exploit NTLM hashes in relay attacks to compromise internal network resources.

Security researchers confirm that comparable flaws have been actively exploited in real-world assaults. Until an official Microsoft patch is available, organizations should prioritize applying the 0patch micropatch and following NTLM security best practices to reduce potential risks.

References:

Critical NGINX Ingress Vulnerabilities Expose Kubernetes Clusters to Compromise 

Security Advisory

Summary:

The Kubernetes Ingress NGINX Admission Controller has detected 5 significant security vulnerabilities affecting all versions of the ingress-nginx controller prior to v1.12.1 and v1.11.5. Here are the cve ids CVE-2025-1974, CVE-2025-1098, CVE-2025-1097, CVE-2025-24514, and CVE-2025-24513.

Maintainer Kubernetes ingress community 
Severity Critical 
CVSS Score 9.8 
No. of Vulnerabilities Patched 05 
Actively Exploited No 
Exploited in Wild No 
Patch Available Yes 
Advisory Version 1.0 

Overview 

Admission Controllers frequently don’t require authentication and essentially function as web servers, introducing an additional internal network-accessible endpoint in the cluster. This architecture allows attackers to access them directly from any pod in the network, significantly increasing the attack surface.

The most critical of these, CVE-2025-1974, allows attackers on the pod network to remotely execute code and gain full control of the cluster without authentication. 

Although there has not been any active exploitation in the wild, this vulnerability poses a serious risk as it could enable attackers to take complete control of a cluster.

The issue was publicly disclosed on March 24, 2025, and security patches have been released. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Admission Controller Remote Code Execution (RCE) Vulnerability  CVE-2025-1974      Ingress NGINX Admission Controller   Critical 9.8 
Configuration Injection via Unsanitized auth-tls-match-cn annotation  CVE-2025-1097 High 8.8 
Configuration Injection via Unsanitized Mirror Annotations  CVE-2025-1098 High 8.8 
Unsanitized auth-URL Injection Vulnerability  CVE-2025-24514 High 8.8 
Auth Secret File Path Traversal Vulnerability  CVE-2025-24513 Medium 4.8 

Technical Summary 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-1974         Ingress NGINX Controller v1.12.0 & v1.11.4 and below versions The Validating Admission Controller does not properly check incoming annotations, allowing attackers on the Pod network to inject configurations and potentially execute arbitrary code across the entire cluster.   Full Kubernetes cluster compromise 
  CVE-2025-1097 Improper validation of the auth-tls-match-cn annotation allows malicious annotation values to override controller configurations.  Remote code execution 
  CVE-2025-1098 Unsafe input handling in mirror annotations could result in unauthorized configuration manipulation.  Config injection, security bypass 
  CVE-2025-24514 Unsanitized input from auth-URL annotations can allow malicious URLs to modify ingress-controller behavior.  Remote code execution 
  CVE-2025-24513 A path traversal issue in handling auth secret files could let attackers access sensitive information.   Information disclosure 

Remediation

  • Apply Patches Promptly: Immediately upgrade to ingress-nginx v1.12.1, v1.11.5 or latest versions to mitigate the vulnerabilities. 
  • Temporarily Disable the Validating Admission Controller: It is mandatory to upgrade. If upgrading is not immediately possible, you can temporarily disable the Validating Admission Controller. 

General Recommendations: 

  • Set strict RBAC rules to control who can change ingress and webhook settings. 
  • Disable dynamic admission controllers if they aren’t needed. 
  • Monitor cluster audit logs for unusual ingress creation activities and suspicious annotations. 
  • Conduct security reviews and scans for clusters that have not recently been updated. 
  • Regularly check ingredients for weak or unsafe configurations. 

Conclusion: 

The Kubernetes ingress-nginx vulnerabilities disclosed in March 2025 are among the most severe to date, with CVE-2025-1974 posing a real threat of full cluster compromise. All organizations running affected versions must apply patches or mitigation steps immediately.

The vulnerabilities found are affecting the admission controller component of Ingress NGINX Controller for Kubernetes and highlight the importance of strict configuration validation and access control in Kubernetes environments. 

Security researchers from Wiz found that 43% of cloud environments are vulnerable to these vulnerabilities. They uncovered over 6,500 clusters, including Fortune 500 companies, that publicly expose vulnerable Kubernetes ingress controllers’ admission controllers to the public internet—putting them at immediate critical risk. 

References

Scroll to top