Serial number: AV25-161
Date: March 24, 2025
Updated: March 27, 2025
On March 24, 2025, Kubernetes published a security advisory to address critical vulnerabilities in the following product:
- Kubernetes ingress-nginx controller — versions prior to 1.11.5
- Kubernetes ingress-nginx controller — versions prior to 1.12.1
This vulnerability allows unauthenticated RCE and wide access to secrets.
The vulnerability is rated a CVSS 9.8 and is tracked with the following identifiers: CVE-2025-1097, CVE-2025-1098, CVE-2025-24514 and CVE-2025-1974.
Update 1
On March 24, 2025, open-source reporting has indicated that proof-of-concept exploit code is available for vulnerability CVE-2025-1974.
The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates.
- Kubernetes - Ingress-nginx CVE-2025-1974: What You Need to Know
- Kubernetes - controller-v1.11.5
- Kubernetes - controller-v1.12.1
- Kubernetes - controller-v1.11.5
- IngressNightmare: 9.8 Critical Unauthenticated Remote Code Execution Vulnerabilities in Ingress NGINX
- AWS - Issues with Kubernetes ingress-nginx controller (Multiple CVEs)
- Microsoft - Kubernetes: Vulnerability in Kubernetes NGINX Ingress Controller
- Google Cloud - Security Bulletins
- Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication