Cyber Resilience

CVE-2025-1974

CriticalPublic PoC

Published: 25 March 2025

Published
25 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9192 99.7th percentile
Risk Priority 75 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1974 is a critical-severity Improper Isolation or Compartmentalization (CWE-653) vulnerability in Https: (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-1974 is a critical vulnerability in the ingress-nginx controller component of Kubernetes. Under certain conditions, it permits arbitrary code execution within the controller process, which by default has cluster-wide access to Secrets. The issue is tracked under CWE-653 and carries a CVSS 3.1 score of 9.8.

An unauthenticated attacker who already has network access to the pod network can exploit the flaw to run code in the ingress-nginx context and thereby read any Secrets reachable by the controller. In standard deployments this exposure extends to all Secrets across the cluster.

Public references include a Kubernetes GitHub issue, a NetApp security advisory, and an Exploit-DB entry that publishes working exploit code. The associated EPSS score stands at 0.9192 with no subsequent rise reported.

EU & UK References

Vulnerability details

A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible…

more

to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

The vulnerability enables unauthenticated remote arbitrary code execution in the ingress-nginx controller (public-facing Kubernetes component), directly mapping to T1190 for exploitation and T1059.004 for Unix Shell command execution; also facilitates secret/credential disclosure via the resulting access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4282Shared CWE-653
CVE-2024-0135Shared CWE-653
CVE-2026-40968Shared CWE-653
CVE-2025-21590Shared CWE-653
CVE-2024-0136Shared CWE-653
CVE-2026-34775Shared CWE-653
CVE-2024-47520Shared CWE-653
CVE-2025-12805Shared CWE-653
CVE-2026-0542Shared CWE-653

Affected Assets

Https:
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely remediation of identified flaws like CVE-2025-1974 in the ingress-nginx controller, directly preventing arbitrary code execution.

prevent

SC-7 enforces network boundaries to restrict unauthorized access to the pod network, blocking unauthenticated attackers from reaching and exploiting the ingress-nginx controller.

prevent

AC-6 least privilege limits the ingress-nginx controller's access to Secrets, reducing the impact of code execution by preventing cluster-wide disclosure.

References