Cyber Resilience

CVE-2025-1098

HighPublic PoC

Published: 25 March 2025

Published
25 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3418 97.1th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1098 is a high-severity Improper Input Validation (CWE-20) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-1098 is an input validation flaw (CWE-20) in ingress-nginx that permits the mirror-target and mirror-host Ingress annotations to inject arbitrary nginx configuration directives. The affected component is the ingress-nginx controller running in Kubernetes clusters; successful injection executes code in the controller process and exposes any Secrets the controller can read, which by default includes all Secrets cluster-wide.

An authenticated user able to create or update Ingress objects can therefore achieve remote code execution inside the controller and obtain arbitrary secret material without needing elevated cluster privileges beyond standard Ingress management rights.

Public references consist of a Kubernetes GitHub issue, a NetApp security advisory, and an Exploit-DB entry that document the problem and point to remediation steps, though specific patch versions or configuration work-arounds are not detailed in the supplied references.

The EPSS probability rose materially from a low baseline to a peak of 0.6618 on 2026-02-03 before receding to the current value of 0.3418, indicating that exploitation interest increased after disclosure.

EU & UK References

Vulnerability details

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `mirror-target` and `mirror-host` Ingress annotations can be used to inject arbitrary configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure…

more

of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Vulnerability enables exploitation of public-facing ingress-nginx for RCE (Unix shell) and privilege escalation from low-priv Ingress modification to controller code exec with secret access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24504Shared CWE-20
CVE-2026-24505Shared CWE-20
CVE-2026-2750Shared CWE-20
CVE-2025-59886Shared CWE-20
CVE-2024-56133Shared CWE-20
CVE-2026-32604Shared CWE-20
CVE-2025-66259Shared CWE-20
CVE-2025-27493Shared CWE-20
CVE-2026-34980Shared CWE-20
CVE-2025-30452Shared CWE-20

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the improper input validation flaw in ingress-nginx by requiring timely identification, reporting, and patching of the vulnerability to prevent arbitrary nginx configuration injection.

prevent

Enforces least privilege to restrict low-privileged users or service accounts from creating or modifying Ingress resources, blocking the injection of malicious mirror-target and mirror-host annotations.

prevent

Mandates validation of information inputs such as Ingress annotations to mitigate improper validation that enables arbitrary configuration injection into the nginx process.

References