Skip to the content.

DIVD-2025-00016 - Unauthenticated Remote Code Execution in Ingress-Nginx.

Our reference DIVD-2025-00016
Case lead Victor Pasman
Author Davy Aarts
Researcher(s)
CVE(s)
Products
  • Kubernetes Ingress-Nginx Controller
Versions
  • Ingress-Nginx Controller version 1.11.x before 1.11.5
  • Ingress-Nginx Controller versions below 1.11.0
Recommendation Upgrade Ingress-Nginx as soon as possible to version 1.12.1 or 1.11.5
Patch status Fully patched
Workaround For users unable to upgrade immediately, Kubernetes recommends turning off the Validating Admission Controller feature of Ingress-Nginx. Instructions for this can be found in the https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/
Status Open
Last modified 26 Jun 2025 09:26 CEST

Summary

The Ingress-Nginx software contains a Remote Code Execution vulnerability. This vulnerability can result in a complete cluster takeover. The vulnerability has been resolved in the upgraded version of the controller. The patched versions are 1.12.1 or 1.11.5

Recommendations

Upgrading the Ingress-Nginx Controller to the following version will resolved the vulnerability: 1.12.1 or 1.11.5. If the implementation of these specified versions is not feasible you can reduse the risk by turning off the Validating Admission Controller feature. More information on the implementation of the workaround can be found at the Kubernetes Blog.

What we are doing

DIVD is currently working to identify parties that are running a vulnerable version of Ingress-Nginx and to notify these parties.

Timeline

Date Description
09 May 2025 DIVD starts researching the vulnerability.
09 May 2025 DIVD finds fingerprint, preparing to scan.
09 May 2025 Case opened and starting first scan.
22 May 2025 Notifications have been send out to vulnerable network owners.
05 Jun 2025 Second scan
05 Jun 2025 DIVD begins notifying owners of vulnerable systems.
05 Jun 2025 DIVD sent out a second round of notifications.
26 Jun 2025 Third scan started
26 Jun 2025 DIVD begins notifying owners third time of vulnerable systems.
gantt title DIVD-2025-00016 - Unauthenticated Remote Code Execution in Ingress-Nginx. dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2025-00016 - Unauthenticated Remote Code Execution in Ingress-Nginx. (still open) :2025-05-06, 2025-07-03 section Events DIVD starts researching the vulnerability. : milestone, 2025-05-09, 0d DIVD finds fingerprint, preparing to scan. : milestone, 2025-05-09, 0d Case opened and starting first scan. : milestone, 2025-05-09, 0d Notifications have been send out to vulnerable network owners. : milestone, 2025-05-22, 0d Second scan : milestone, 2025-06-05, 0d DIVD begins notifying owners of vulnerable systems. : milestone, 2025-06-05, 0d DIVD sent out a second round of notifications. : milestone, 2025-06-05, 0d Third scan started : milestone, 2025-06-26, 0d DIVD begins notifying owners third time of vulnerable systems. : milestone, 2025-06-26, 0d

More information