cbcvebase.
CVE-2025-1974
published 2025-03-26

CVE-2025-1974: KNIME Business Hub is affected by the Ingress-nginx CVE-2025-1974 ( a.k.a IngressNightmare ) vulnerability which affects the ingress-nginx component. In the…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
99.10%
99.9th percentile
KNIME Business Hub is affected by the Ingress-nginx CVE-2025-1974 ( a.k.a IngressNightmare ) vulnerability which affects the ingress-nginx component. In the worst case a complete takeover of the Kubernetes cluster is possible. Since the affected component is only reachable from within the cluster, i.e. requires an authenticated user, the severity in the context of KNIME Business Hub is slightly lower. Besides applying the publicly known workarounds, we strongly recommend updating to one of the following versions of KNIME Business Hub: * 1.13.3 or above * 1.12.4 or above * 1.11.4 or above * 1.10.4 or above *

Affected

11 ranges
VendorProductVersion rangeFixed in
k8s.ioingress-nginx>= 0 < 1.11.51.11.5
k8s.ioingress-nginx>= 1.12.0-beta.0 < 1.12.11.12.1
knimebusiness_hub>= 1.10.0 < 1.10.41.10.4
knimebusiness_hub>= 1.11.0 < 1.11.41.11.4
knimebusiness_hub>= 1.12.0 < 1.12.41.12.4
knimebusiness_hub>= 1.13.0 < 1.13.31.13.3
knimeknime_business_hub<= 1.10.3
knimeknime_business_hub1.11.0 – 1.11.3
knimeknime_business_hub1.12.0 – 1.12.3
knimeknime_business_hub1.13.0 – 1.13.2
msrcazure_kubernetes_service

Detection & IOCsextracted from sources · hover to see the quote

commandkubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx
commandexec.Command(nc.Binary, "-c", cfg, "-t").CombinedOutput()
domainburpcollaborator.net
othernginx.ingress.kubernetes.io/backend-protocol: FCGI
otherAdmissionReview (kind: AdmissionReview, apiVersion: admission.k8s.io/v1)
path/tmp/nginx/<tempNginxPattern>
  • Hunt for anomalous process executions originating from the ingress-nginx namespace or container image, specifically nginx processes spawned with '-t' (config test) flags that may indicate exploitation of the admission controller RCE path.
  • Hunt for behavioral indicators in the ingress-nginx namespace to detect exploitation activity.
  • Monitor outbound IP connections from ingress-nginx pods to detect potential reverse shell or C2 callbacks post-exploitation.
  • Alert on anomalous library loads within the ingress-nginx controller pod, which may indicate exploitation via injected ssl_engine or similar NGINX directives.
  • Detect malicious AdmissionReview requests sent directly to the admission controller (not from the Kubernetes API server) — unauthenticated HTTP requests to the webhook endpoint from arbitrary pods are a strong exploitation indicator.
  • FortiGuard IPS signature available for this CVE: Kubernetes.Ingress.NGINX.Controller.Remote.Code.Execution
  • Detect injection of ssl_engine directive in NGINX configuration via crafted Ingress annotations as an exploitation indicator.
  • ·The admission controller is accessible over the network without authentication by default, making it reachable from any pod in the cluster network — this is the core exploitable condition.
  • ·Disabling the admission webhook (controller.admissionWebhooks.enabled=false) is a temporary mitigation but removes important safeguards for Ingress configurations; re-enable after patching.
  • ·In KNIME Business Hub deployments, the affected component is only reachable from within the cluster (requires an authenticated user), slightly reducing severity compared to publicly exposed deployments.
  • ·CVE-2025-24513 is different in nature from the other IngressNightmare chain CVEs and does not lead to RCE.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_oracle9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.