Cyber Resilience

CVE-2025-24514

HighPublic PoC

Published: 25 March 2025

Published
25 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4971 97.9th percentile
Risk Priority 47 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24514 is a high-severity Improper Input Validation (CWE-20) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A security issue was discovered in ingress-nginx where the auth-url Ingress annotation can be used to inject configuration into nginx. This affects the ingress-nginx controller component in Kubernetes environments and can lead to arbitrary code execution in the context of the controller along with disclosure of Secrets accessible to it. In default installations the controller can access all Secrets cluster-wide. The flaw is tracked as CVE-2025-24514 with a CVSS score of 8.8 and is classified under CWE-20.

An attacker with permission to create or modify Ingress resources can supply a malicious auth-url annotation to trigger configuration injection. Successful exploitation grants code execution inside the ingress-nginx controller pod and read access to any Secrets the controller can reach, enabling broad cluster credential theft or further lateral movement.

Public references include a Kubernetes GitHub issue, a NetApp security advisory, and an Exploit-DB entry describing a working proof-of-concept. These sources point to the need for updated ingress-nginx versions or configuration hardening, though specific patch instructions are not detailed in the provided references.

The EPSS score currently stands at 0.4748 after reaching a peak of 0.5158, indicating sustained moderate-to-high exploitation interest following disclosure.

EU & UK References

Vulnerability details

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible…

more

to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Vulnerability enables privilege escalation via RCE in ingress-nginx pod (T1068, T1059.004) and Kubernetes Secrets disclosure (T1552.001) through auth-url annotation injection.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-27493Shared CWE-20
CVE-2025-1098Shared CWE-20
CVE-2026-24504Shared CWE-20
CVE-2026-24505Shared CWE-20
CVE-2025-21234Shared CWE-20
CVE-2025-48647Shared CWE-20
CVE-2025-25210Shared CWE-20
CVE-2026-21733Shared CWE-20
CVE-2026-7905Shared CWE-20
CVE-2026-7997Shared CWE-20

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses CWE-20 improper input validation by requiring validation of untrusted inputs like the auth-url Ingress annotation to prevent configuration injection and RCE.

prevent

Mandates timely flaw remediation, including patching the ingress-nginx controller vulnerability referenced in advisories to eliminate the config injection flaw.

prevent

Enforces least privilege to restrict creation or modification of Ingress resources, raising the privilege bar needed for PR:L exploitation.

References