CVE-2025-1097

HIGH NUCLEI

Kubernetes ingress-nginx auth-tls-match-cn - Controller Code Execution

Title source: manual

Exploitation Summary

EIP tracks 4 public exploits for CVE-2025-1097. PoCs published by Beatriz Fresno Naumova, hakaioffsec, Esonhugh. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates a file descriptor injection vulnerability in the Ingress-NGINX Admission Controller, leading to remote code execution by uploading a malicious shared object and brute-forcing file descriptors.

Description

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Exploits (4)

exploitdb WORKING POC

by Beatriz Fresno Naumova · textremotemultiple

https://www.exploit-db.com/exploits/52475

View Code ZIP pw:eip

This exploit demonstrates a file descriptor injection vulnerability in the Ingress-NGINX Admission Controller, leading to remote code execution by uploading a malicious shared object and brute-forcing file descriptors.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Ingress-NGINX Admission Controller v1.10.0 to v1.11.1

No auth needed

Prerequisites: Access to the admission webhook URL · Ability to upload a malicious shared object to the ingress controller

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 248 stars

by hakaioffsec · poc

https://github.com/hakaioffsec/IngressNightmare-PoC

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-1097, targeting unauthenticated RCE in the Ingress NGINX Controller for Kubernetes. The exploit compiles a shared object with a reverse shell payload, uploads it via a manipulated HTTP request, and brute-forces file descriptors to trigger execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Ingress NGINX Controller for Kubernetes (versions prior to 1.12.1 or 1.11.5)

No auth needed

Prerequisites: Python 3.x · GCC compiler · access to the target Ingress NGINX Controller · admission webhook URL

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WORKING POC 92 stars

by Esonhugh · gopoc

https://github.com/Esonhugh/ingressNightmare-CVE-2025-1974-exps

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-1907, targeting Kubernetes ingress-nginx. The exploit leverages a vulnerability in the handling of HTTP requests to achieve remote code execution by manipulating temporary files and admission webhook configurations.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: kubernetes/ingress-nginx

No auth needed

Prerequisites: Access to the ingress-nginx controller admission webhook URL · Access to the upload URL for the ingress-nginx controller

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC 9 stars

by lufeirider · poc

https://github.com/lufeirider/IngressNightmare-PoC

View Code ZIP pw:eip

This PoC exploits CVE-2025-1097, a vulnerability in Kubernetes Ingress, by sending a maliciously crafted AdmissionReview request. The exploit uses a base64-encoded payload to achieve remote code execution (RCE) on the target system.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Kubernetes Ingress (version not explicitly specified)

Auth required

Prerequisites: Access to Kubernetes API server · Valid authentication credentials

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Ingress-Nginx Controller - Configuration Injection via Unsanitized `auth-tls-match-cn` Annotation

HIGHVERIFIEDby iamnoooob,rootxharsh,pdresearch

Shodan: ssl:"ingress-nginx" port:8443

References (3)

Core 3

Core References

Exploit, Third Party Advisory

https://www.exploit-db.com/exploits/52475

Issue Tracking

https://github.com/kubernetes/kubernetes/issues/131007

Vendor Advisory

https://security.netapp.com/advisory/ntap-20250328-0008/

Scores

CVSS v3 8.8

EPSS 0.3429

EPSS Percentile 98.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-20

Status published

Products (3)

k8s.io/ingress-nginx 0 - 1.11.5Go

kubernetes/ingress-nginx < 1.11.4

kubernetes/ingress-nginx 1.12.0

Published Mar 25, 2025

Tracked Since Feb 18, 2026