Cyber Resilience

CVE-2025-1097

HighPublic PoC

Published: 25 March 2025

Published
25 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.6535 98.5th percentile
Risk Priority 57 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1097 is a high-severity Improper Input Validation (CWE-20) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability CVE-2025-1097 is an input-validation flaw (CWE-20) in ingress-nginx, the Kubernetes community-maintained ingress controller. The auth-tls-match-cn Ingress annotation can be abused to inject arbitrary configuration directives into the generated nginx configuration, resulting in code execution inside the controller process and read access to Secrets visible to that controller.

An authenticated user able to create or modify Ingress resources can therefore achieve arbitrary code execution in the ingress-nginx controller and obtain any Secrets the controller is permitted to read; in the default cluster-wide installation this grants access to every Secret. The issue carries a CVSS 3.1 base score of 8.8.

Public exploit code has been published and the EPSS probability currently stands at 0.6535 after a recorded peak of 0.6686. Further details appear in the referenced Kubernetes issue, NetApp advisory, and Exploit-DB entry.

EU & UK References

Vulnerability details

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible…

more

to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Vulnerability in public-facing ingress-nginx allows annotation-based config injection for RCE in controller pod, enabling exploitation of public-facing app (T1190), privilege escalation from low-priv Ingress access to cluster secrets/RCE (T1068), and arbitrary code execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2750Shared CWE-20
CVE-2025-59886Shared CWE-20
CVE-2025-55270Shared CWE-20
CVE-2026-22615Shared CWE-20
CVE-2026-34910Shared CWE-20
CVE-2025-27494Shared CWE-20
CVE-2025-30213Shared CWE-20
CVE-2025-40836Shared CWE-20
CVE-2025-1098Shared CWE-20
CVE-2026-24504Shared CWE-20

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the improper input validation (CWE-20) in the auth-tls-match-cn annotation by requiring validation of Ingress annotations before processing to prevent arbitrary nginx configuration injection.

prevent

Requires timely remediation of the identified flaw in ingress-nginx through patching, eliminating the vulnerability to arbitrary code execution.

prevent

Enforces least privilege on the ingress-nginx controller's service account to restrict cluster-wide Secret access and limits low-privileged users' ability to create or modify Ingress resources.

References