How to fix CVE-2025-1974?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Monitor vendor channels for patch availability.

Is Kubernetes affected by CVE-2025-1974?

Organizations using A security face critical risk from CVE-2025-1974 rated CVSS 9.8. Successful exploitation could critically impact the confidentiality, integrity, and availability of affected systems. With an EPSS score of 90%, this vulnerability faces very high likelihood of exploitation.

CVE-2025-1974

CRITICAL

2025-03-25 [email protected]

9.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 28, 2026 - 18:33 vuln.today

PoC Detected

Feb 04, 2026 - 20:16 vuln.today

Public exploit code

CVE Published

Mar 25, 2025 - 00:15 nvd

CRITICAL 9.8

Description

A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Analysis

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access to achieve arbitrary code execution in the controller context. Dubbed 'IngressNightmare', this flaw exposes cluster Secrets including TLS certificates and service account tokens accessible to the ingress controller.

Technical Context

The ingress-nginx controller's admission webhook validates Ingress resources but can be exploited to inject arbitrary NGINX configuration directives. By sending crafted AdmissionReview requests to the webhook endpoint, an attacker with pod network access can inject configuration that causes the controller to execute arbitrary code. The controller typically has read access to all cluster Secrets for TLS termination.

Affected Products

['ingress-nginx controller (default Kubernetes installation)', 'Kubernetes clusters using ingress-nginx for ingress management']

Remediation

Update ingress-nginx controller to the patched version. Restrict network access to the admission webhook endpoint using NetworkPolicies. Minimize the controller's RBAC permissions. Consider migrating to alternative ingress controllers with smaller privilege footprints.

Priority Score

159

Low Medium High Critical

KEV: 0

EPSS: +90.3

CVSS: +49

POC: +20

Vendor Status

CVE-2025-1974 vulnerability details – vuln.today

Back

CVE-2025-1974

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

CVE-2025-1974

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code