IngressNightmare: Unauth RCE in Ingress NGINX (CVE-2025-1974) — ProjectDiscovery Blog

By /

Listen to this Post

A critical vulnerability, CVE-2025-1974 (IngressNightmare), has been discovered in Ingress NGINX, allowing unauthenticated remote code execution (RCE). This flaw affects admission controllers exposed to the internet, making it exploitable both internally and externally. ProjectDiscovery has released a Nuclei detection template to identify vulnerable systems.

Read the full details here:

IngressNightmare: Unauth RCE in Ingress NGINX (CVE-2025-1974)

You Should Know:

Detection & Mitigation Steps

1. Scan for Vulnerable Systems

Use the Nuclei template to detect exposure:

nuclei -t CVE-2025-1974.yaml -target <IP/DOMAIN>

2. Check Admission Controller Exposure

Verify if your Kubernetes admission controllers are internet-accessible:

kubectl get validatingwebhookconfigurations,mutatingwebhookconfigurations -A

3. Patch or Restrict Access

  • Apply the latest NGINX Ingress Controller patches.
  • Restrict admission controller endpoints using Network Policies: 
    apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: block-admission-webhooks
spec:
podSelector: {}
policyTypes:</li>
<li>Ingress
ingress:</li>
<li>from:</li>
<li>namespaceSelector:
matchLabels:
name: kube-system

4. Monitor for Exploitation Attempts

Use Falco or audit logs to detect unauthorized access: 

kubectl logs -n kube-system <ingress-nginx-pod> | grep "admission webhook"

Exploitation Proof-of-Concept (PoC)

If unpatched, attackers can exploit this via crafted HTTP requests: 

curl -X POST http://<TARGET>/admission -H "Content-Type: application/json" --data '{"malicious": "payload"}'

### **What Undercode Say**

This vulnerability highlights the risks of improperly secured Kubernetes admission controllers. Always:
Isolate sensitive endpoints from public access.
Automate vulnerability scanning with tools like Trivy or Clair.
Enforce least-privilege RBAC to limit blast radius.

**Relevant Commands:**

  • Check NGINX Ingress version: 
    kubectl describe pod <ingress-nginx-pod> -n kube-system | grep Image:
  • Block external admission webhook access via iptables: 
    iptables -A INPUT -p tcp --dport 443 -j DROP

### **Expected Output:**

[+] [CVE-2025-1974] Vulnerable Admission Webhook Detected: http://<TARGET>/admission

For further reading:

Kubernetes Security Best Practices
ProjectDiscovery Nuclei Templates

References:

Reported By: Ehsandeepsingh Ingressnightmare – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: