Cyber Security News

PoC Exploit Released for Ingress-NGINX RCE Vulnerabilities

A recently disclosed vulnerability in Ingress-NGINX, tracked as CVE-2025-1974, has raised concerns about the security of Kubernetes environments.

This vulnerability allows for Remote Code Execution (RCE) through the validating webhook server integrated into Ingress-NGINX. A Proof of Concept (PoC) exploit has been released, demonstrating how attackers could exploit this flaw.

CVE-2025-1974 affects versions of Ingress-NGINX where the validating webhook is enabled. The webhook listens on port 8443 and is designed to validate configurations before applying them to NGINX instances.

However, due to a security oversight, an attacker can craft malicious AdmissionRequests containing NGINX configurations that lead to RCE.

PoC Exploit

The PoC exploit has been tested in a local Minikube environment. Here’s a step-by-step guide on how it works:

  1. Create a Vulnerable Pod:
    Users start by applying the relevant NGINX Ingress controller configuration using Kubernetes:
kubectl apply -f nginx-ingress-controller.yaml
  1. Identify the Webhook Server:
    Describing the pod reveals details about the webhook server, including its listening port:
kubectl describe <pod name> -n <namespace>

This shows that the validating webhook is listening on port 8443.

  1. Port Forward to Local Machine:
    To interact with the webhook, users port-forward it to their local machine:
kubectl port-forward -n ingress-nginx <pod name> 8443:1337
  1. Send Malicious AdmissionRequest:
    A malicious AdmissionRequest is crafted with a JSON payload (poc.json) containing an NGINX configuration that exploits the vulnerability. This is sent to the forwarded webhook port:
curl --insecure -v -H "Content-Type: application/json" --data poc.json https://localhost:1337/fake/path
  1. Verify Successful Execution:
    The logs of the pod are checked using:
kubectl logs <pod name> -n ingress-nginx

Successful execution of the exploit is indicated by specific log messages.

Impact and Recommendations

This vulnerability poses a significant risk to any environment that relies on Ingress-NGINX with the validating webhook enabled.

The potential for RCE allows attackers to execute arbitrary code within the Kubernetes cluster, compromising security and integrity.

To mitigate this vulnerability, users are advised to update their Ingress-NGINX installations to versions where the issue has been fixed.

Additionally, ensuring proper network segmentation and access controls can limit potential damage until patches are applied.

The release of a PoC exploit for CVE-2025-1974 highlights the urgency of addressing vulnerabilities in critical infrastructure components like Ingress-NGINX.

Continuous monitoring and maintenance of Kubernetes environments are essential to prevent such exploits from being successfully executed in the wild.

As the Kubernetes ecosystem continues to evolve, securing each component against emerging threats remains a top priority for operators and developers alike.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free. 

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

A New Microsoft Tool Automatically Detects, Diagnoses, and Resolves Boot Issues in Windows

Microsoft has unveiled a transformational tool aimed at addressing one of the most frustrating challenges…

2 minutes ago

Beware! A Fake Zoom Installer Drops BlackSuit Ransomware on Your Windows Systems

Cybersecurity analysts have uncovered a sophisticated campaign exploiting a fake Zoom installer to deliver BlackSuit…

25 minutes ago

Linux Distribution Nitrux3.9.1  Releaed – What’s New

Nitrux Linux, renowned for its innovative approach to desktop computing, has unveiled its latest release, Nitrux…

38 minutes ago

Hackers Distributing Phishing Malware Via SVG Format To Bypass File Detection

Cybersecurity experts at the AhnLab Security Intelligence Center (ASEC) have uncovered a novel phishing malware…

3 hours ago

CrushFTP Vulnerability Lets Hackers Bypass Security and Seize Server Control

A newly disclosed authentication bypass vulnerability (CVE-2025-2825) in CrushFTP file transfer software enables attackers to…

3 hours ago

New Android Malware “TsarBot” Targeting 750 Banking, Finance & Crypto Apps

A newly identified Android malware, dubbed TsarBot, has emerged as a potent cyber threat targeting…

3 hours ago