DIVD-2025-00016 - Unauthenticated Remote Code Execution in Ingress-Nginx.
Our reference | DIVD-2025-00016 |
Case lead | Victor Pasman |
Author | Davy Aarts |
Researcher(s) |
|
CVE(s) | |
Products |
|
Versions |
|
Recommendation | Upgrade Ingress-Nginx as soon as possible to version 1.12.1 or 1.11.5 |
Patch status | Fully patched |
Workaround | For users unable to upgrade immediately, Kubernetes recommends turning off the Validating Admission Controller feature of Ingress-Nginx. Instructions for this can be found in the https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/ |
Status | Open |
Last modified | 26 Jun 2025 09:26 CEST |
Summary
The Ingress-Nginx software contains a Remote Code Execution vulnerability. This vulnerability can result in a complete cluster takeover. The vulnerability has been resolved in the upgraded version of the controller. The patched versions are 1.12.1 or 1.11.5
Recommendations
Upgrading the Ingress-Nginx Controller to the following version will resolved the vulnerability: 1.12.1 or 1.11.5. If the implementation of these specified versions is not feasible you can reduse the risk by turning off the Validating Admission Controller feature. More information on the implementation of the workaround can be found at the Kubernetes Blog.
What we are doing
DIVD is currently working to identify parties that are running a vulnerable version of Ingress-Nginx and to notify these parties.
Timeline
Date | Description |
---|---|
09 May 2025 | DIVD starts researching the vulnerability. |
09 May 2025 | DIVD finds fingerprint, preparing to scan. |
09 May 2025 | Case opened and starting first scan. |
22 May 2025 | Notifications have been send out to vulnerable network owners. |
05 Jun 2025 | Second scan |
05 Jun 2025 | DIVD begins notifying owners of vulnerable systems. |
05 Jun 2025 | DIVD sent out a second round of notifications. |
26 Jun 2025 | Third scan started |
26 Jun 2025 | DIVD begins notifying owners third time of vulnerable systems. |