PoC Exploit Released for Ingress-NGINX Remote Code Execution Vulnerabilities

A proof-of-concept (PoC) exploit for a critical remote code execution vulnerability in Kubernetes Ingress-NGINX controllers, tracked as CVE-2025-1974. 

The vulnerability uncovered by WiZ affects the validation webhook component and could allow attackers to execute arbitrary code on affected systems, potentially compromising entire Kubernetes clusters.

The vulnerability affects Ingress-NGINX controller version v1.11.3 and potentially earlier versions.

It targets the validation webhook server, which runs on port 8443 and is responsible for verifying and processing Ingress resources before they are deployed to the cluster.

The vulnerability demonstrated in a controlled minikube setup illustrates how malicious actors might circumvent security measures and run commands on the base system.

This vulnerability is particularly concerning given that Ingress-NGINX is one of the most commonly utilized ingress controllers in Kubernetes systems. Organizations should update their deployments immediately.

Proof-of-Concept Demonstration

The exploit takes advantage of the controller’s validation webhook functionality. The PoC demonstrates that an attacker can access the webhook server and send a specially crafted AdmissionRequest containing malicious nginx configuration:

The vulnerability exists because the controller’s CheckIngress function executes:

This creates a path for command injection through manipulated configuration files.

A proof of concept (PoC) has been released on GitHub, which demonstrates how to deploy a vulnerable pod.

The vulnerable controller can be identified by examining the pod specifications, particularly looking for controllers using the validation webhook on port 8443:

When the exploit is executed, the controller logs show successful validation of potentially malicious configuration:

Impact and Mitigation

The vulnerability allows attackers to inject malicious configurations and potentially achieve remote code execution by manipulating AdmissionReview requests.

Organizations running affected Ingress-NGINX controllers should:

• Upgrade to the latest patched version immediately.
• Implement network policies to restrict access to the validation webhook.
• Monitor controller logs for suspicious AdmissionRequest activities.
• Consider temporarily disabling the validation webhook if immediate patching isn’t possible.

Kubernetes Security Special Interest Group (SIG) has confirmed the vulnerability and is working with the Ingress-NGINX maintainers to ensure proper patching and mitigation guidance.

This exploit highlights the importance of vigilant monitoring and prompt patching in Kubernetes environments, especially for components that process external input like ingress controllers.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

The post PoC Exploit Released for Ingress-NGINX Remote Code Execution Vulnerabilities appeared first on Cyber Security News.