CVE-2025-1974
Published: 25 March 2025
Summary
CVE-2025-1974 is a critical-severity Improper Isolation or Compartmentalization (CWE-653) vulnerability in Https: (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-1974 is a critical vulnerability in the ingress-nginx controller component of Kubernetes. Under certain conditions, it permits arbitrary code execution within the controller process, which by default has cluster-wide access to Secrets. The issue is tracked under CWE-653 and carries a CVSS 3.1 score of 9.8.
An unauthenticated attacker who already has network access to the pod network can exploit the flaw to run code in the ingress-nginx context and thereby read any Secrets reachable by the controller. In standard deployments this exposure extends to all Secrets across the cluster.
Public references include a Kubernetes GitHub issue, a NetApp security advisory, and an Exploit-DB entry that publishes working exploit code. The associated EPSS score stands at 0.9192 with no subsequent rise reported.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8035
Vulnerability details
A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible…
more
to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated remote arbitrary code execution in the ingress-nginx controller (public-facing Kubernetes component), directly mapping to T1190 for exploitation and T1059.004 for Unix Shell command execution; also facilitates secret/credential disclosure via the resulting access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely remediation of identified flaws like CVE-2025-1974 in the ingress-nginx controller, directly preventing arbitrary code execution.
SC-7 enforces network boundaries to restrict unauthorized access to the pod network, blocking unauthenticated attackers from reaching and exploiting the ingress-nginx controller.
AC-6 least privilege limits the ingress-nginx controller's access to Secrets, reducing the impact of code execution by preventing cluster-wide disclosure.