Share
## https://sploitus.com/exploit?id=F806E55B-F32D-59B6-8D42-C4EABD48F805
# cve-2025-1974-win11-attack-defense-lab

Windows 11-first educational repository for studying CVE-2025-1974 in a safe, non-weaponized ATTACK + DEFENSE lab. The project is designed for university coursework, team demos, and report-ready screenshots. It emphasizes clean-room implementation, local-only validation, and a red-team-style attack emulation that never becomes a real exploit.

This lab encodes the official baseline that CVE-2025-1974 affects `ingress-nginx`, with affected versions `Windows 11-first UX"] --> B["Python CLIapp.main"]
    B --> C["Preflight ChecksWindows, Docker, kubectl, kind, Python 3.11"]
    B --> D["Cluster Assessmentkind + kubectl on localhost"]
    B --> E["Attack Simulatorsanitized fixtures only"]
    B --> F["Mitigation Checksversion + admission state"]
    B --> G["Detectionslab-specific simulated indicators"]
    E --> H["reports/attack_simulation.log"]
    F --> I["reports/defense_scan.json"]
    G --> J["reports/timeline.csv + timeline.json"]
    H --> K["Markdown Report Writer"]
    I --> K
    J --> K
    K --> L["reports/latest-report.md"]
```

## Project Overview

- `Track A: Attack Emulation`
  Runs a screenshot-friendly simulator that behaves like an attacker workflow without performing exploitation.
- `Track B: Defense Validation`
  Performs real local checks against a disposable lab cluster and assesses version and mitigation posture.
- `Windows 11-first`
  Every major workflow has a PowerShell wrapper and Python 3.11 CLI equivalent.
- `Reporting`
  Generates Markdown, JSON, CSV, and console transcripts suitable for class submission and demonstrations.

## Windows 11 Setup

### Assumptions

- Windows 11 host
- PowerShell 7+
- Python 3.11
- Docker Desktop
- `kubectl`
- `kind`

### Recommended setup flow

```powershell
pwsh ./scripts/setup-win11.ps1
pwsh ./scripts/start-lab.ps1
pwsh ./scripts/run-defend-scan.ps1
pwsh ./scripts/run-attack-sim.ps1
pwsh ./scripts/generate-report.ps1
```

## Quick Start

### Python CLI

```powershell
python -m app.main preflight
python -m app.main defend-scan
python -m app.main attack-sim
python -m app.main report
python -m app.main cleanup
```

### PowerShell wrappers

```powershell
pwsh ./scripts/setup-win11.ps1
pwsh ./scripts/start-lab.ps1
pwsh ./scripts/run-attack-sim.ps1
pwsh ./scripts/run-defend-scan.ps1
pwsh ./scripts/generate-report.ps1
pwsh ./scripts/cleanup.ps1
```

## Example Console Output

```text
============================================================
CVE-2025-1974 Windows 11 Attack + Defense Lab
============================================================
[PRECHECK] Windows 11 assumptions .............. PASS
[PRECHECK] Docker Desktop ...................... PASS
[PRECHECK] kubectl ............................. PASS
[PRECHECK] kind ................................ PASS
[PRECHECK] Python 3.11 ......................... PASS

[SCAN] Cluster name: cve-2025-1974-lab
[SCAN] ingress-nginx detected .................. YES
[SCAN] Controller version ...................... 1.11.4
[SCAN] Validating Admission Controller ......... ENABLED
[SCAN] Version assessment ...................... AFFECTED
[SCAN] Risk summary ............................ Upgrade to 1.11.5+ or 1.12.1+ and disable admission until upgraded.

[SIM] ATTACK_PATH_IDENTIFIED
[SIM] VALIDATION_PATH_REACHED
[SIM] DEFENSE_MISSING
[SIM] SIMULATED_RISK_CONFIRMED

[REPORT] Markdown report written to reports/latest-report.md
```

## Attack Flow Demo

The attack-emulation flow is intentionally non-weaponized:

1. The lab fingerprints the local disposable cluster and checks whether `ingress-nginx` appears present.
2. The simulator explains that the risk path conceptually involves the Validating Admission Controller.
3. A sanitized fixture is replayed only to a local simulator, which emits stage markers such as `ATTACK_PATH_IDENTIFIED` and `SIMULATED_RISK_CONFIRMED`.
4. When mitigation is active in the lab state, the simulator emits `MITIGATION_PRESENT`, `ATTACK_PATH_BLOCKED`, and `UPGRADE_REQUIRED` instead.
5. The run saves logs and summary artifacts under `reports/`.

## Defense Flow

The defense-validation flow is allowed to perform real local checks:

1. Verify Windows 11 prerequisites.
2. Create or inspect a local-only `kind` cluster named `cve-2025-1974-lab`.
3. Detect whether `ingress-nginx` is present and attempt to infer the version from deployment images.
4. Assess whether the version appears affected or fixed according to official guidance.
5. Determine whether the Validating Admission Controller appears enabled.
6. Produce a concise risk summary and lab-specific analytics for simulator activity.

## Cleanup

```powershell
pwsh ./scripts/cleanup.ps1
```

This removes the disposable `kind` cluster if present and clears generated report artifacts while preserving repository structure.

## Limitations

- The attack track is a simulator, not a real exploit.
- The project does not test public, shared, or non-local systems.
- Real cluster assessment is limited by the visibility provided by `kubectl` and local cluster state.
- If image tags or admission configuration are hidden or custom, findings may be uncertain.
- Lab detections are synthetic and must not be treated as authoritative real-world IOCs.
- The official Kubernetes issue states there are no known authoritative indicators of compromise.

## References

- [Official Kubernetes advisory](https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/)
- [Official Kubernetes issue](https://github.com/kubernetes/kubernetes/issues/131009)
- [Original public PoC reference](https://github.com/zulloper/CVE-2025-1974)

## Credits

This project conceptually references the public repository `zulloper/CVE-2025-1974` by GitHub user `@zulloper` for historical/contextual study only. No offensive code has been copied into this repository.

Acknowledgements to Nir Ohfeld, Ronen Shustin, Sagi Tzadik, and Hillai Ben-Sasson from Wiz for responsibly disclosing the vulnerabilities, as recognized in official Kubernetes materials.

This repository is an independent clean-room educational lab for Windows 11 and is not affiliated with or endorsed by `@zulloper`, Wiz, Kubernetes, or the ingress-nginx maintainers.