CVE-2025-2787
Published: 26 March 2025
Summary
CVE-2025-2787 is a high-severity Code Injection (CWE-94) vulnerability in Knime Business Hub. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 33.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-5 (Security Alerts, Advisories, and Directives).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely identification, reporting, and correction of flaws like the ingress-nginx code injection vulnerability (CVE-2025-1974) in KNIME Business Hub via patching to recommended versions.
Requires receiving, disseminating, and acting on vendor security advisories such as KNIME's for CVE-2025-2787, including updates and workarounds to prevent exploitation.
Enables periodic vulnerability scanning to identify the presence of CVE-2025-1974 in the ingress-nginx component used by KNIME Business Hub deployments.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The code injection vulnerability enables RCE on the ingress-nginx pod from within the Kubernetes cluster (requiring authenticated internal access), directly facilitating exploitation of remote services for code execution and privilege escalation potentially leading to full cluster takeover.
NVD Description
KNIME Business Hub is affected by the Ingress-nginx CVE-2025-1974 ( a.k.a IngressNightmare ) vulnerability which affects the ingress-nginx component. In the worst case a complete takeover of the Kubernetes cluster is possible. Since the affected component is only reachable from…
more
within the cluster, i.e. requires an authenticated user, the severity in the context of KNIME Business Hub is slightly lower. Besides applying the publicly known workarounds, we strongly recommend updating to one of the following versions of KNIME Business Hub: * 1.13.3 or above * 1.12.4 or above * 1.11.4 or above * 1.10.4 or above *
Deeper analysisAI
CVE-2025-2787 affects KNIME Business Hub deployments through its use of the ingress-nginx component, which is vulnerable to CVE-2025-1974, also known as IngressNightmare. This code injection vulnerability, classified under CWE-94, carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The issue stems from the ingress-nginx controller's handling of certain configurations, enabling remote code execution within the Kubernetes environment where KNIME Business Hub operates.
Exploitation requires an authenticated user with access from within the Kubernetes cluster, limiting the attack surface compared to fully public exposures. A successful attack could allow the adversary to achieve remote code execution on the ingress-nginx pod, potentially leading to a complete takeover of the Kubernetes cluster in the worst case. While the cluster-internal reachability slightly reduces the contextual severity for KNIME Business Hub, the high-impact potential warrants immediate attention.
The KNIME security advisory recommends applying publicly known workarounds for CVE-2025-1974 alongside updating to patched versions of KNIME Business Hub: 1.13.3 or later, 1.12.4 or later, 1.11.4 or later, or 1.10.4 or later. Full details are available at https://www.knime.com/security-advisory-cve-2025-2787.
Details
- CWE(s)