CVE-2025-1974
Published: 25 March 2025
Summary
CVE-2025-1974 is a critical-severity Improper Isolation or Compartmentalization (CWE-653) vulnerability in Https: (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely remediation of identified flaws like CVE-2025-1974 in the ingress-nginx controller, directly preventing arbitrary code execution.
SC-7 enforces network boundaries to restrict unauthorized access to the pod network, blocking unauthenticated attackers from reaching and exploiting the ingress-nginx controller.
AC-6 least privilege limits the ingress-nginx controller's access to Secrets, reducing the impact of code execution by preventing cluster-wide disclosure.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated remote arbitrary code execution in the ingress-nginx controller (public-facing Kubernetes component), directly mapping to T1190 for exploitation and T1059.004 for Unix Shell command execution; also facilitates secret/credential disclosure via the resulting access.
NVD Description
A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible…
more
to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
Deeper analysisAI
CVE-2025-1974 is a critical vulnerability in Kubernetes, specifically affecting the ingress-nginx controller. Under certain conditions, it allows an unauthenticated attacker with access to the pod network to achieve arbitrary code execution within the context of the controller. This issue, associated with CWE-653, has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-03-25.
An unauthenticated attacker who gains access to the pod network can exploit this vulnerability to execute arbitrary code as the ingress-nginx controller. Successful exploitation leads to the disclosure of Secrets accessible to the controller, which in default installations includes all Secrets cluster-wide.
Advisories and references, including the Kubernetes GitHub issue at https://github.com/kubernetes/kubernetes/issues/131009, a proof-of-concept repository at https://github.com/B1ack4sh/Blackash-CVE-2025-1974, a NetApp security advisory at https://security.netapp.com/advisory/ntap-20250328-0008/, and an Exploit-DB entry at https://www.exploit-db.com/exploits/52475, provide details on the issue and potential mitigations such as restricting pod network access and applying patches where available.
Public proof-of-concept exploits are available, indicating active interest from the security research community.
Details
- CWE(s)