Definition

CVE-2025-1097, CVE-2025-1098, CVE-2025-24514 and CVE-2025-1974 are vulnerabilities affecting Ingress NGINX Controller for Kubernetes.

Those vulnerabilities result in an unauthenticated remote code execution that can lead to a cluster takeover.

How it works

To be vulnerable, one must use an ingress NGINX Controller.

When using ingress NGINX, an admission controller is deployed within pods. Their purpose is to validate incoming ingress objects before they're deployed. The issue is that admission controllers are accessible by default over the network without authentication. This lack of authentication gives the opportunity to an attacker to inject an arbitrary NGINX configuration remotely by sending a malicious ingress object directly to the admission controller via the network.

Once the admission controller receives the object, it constructs an NGINX configuration from this latter and validates it via the NGINX binary. During this validation phase, the injected configuration causes the NGINX validator to execute code, leading to a remote code execution on the ingress NGINX controller's pod.

The elevated privileges and unrestricted network accessibility can lead to an access to all the cluster's secrets across namespaces, and thus, possibly, to a complete cluster takeover.

Impact

Ingress Nightmare has a critical impact of security:

• It allows attackers to perform remote code execution that can lead to a cluster takeover.

Detection

Check if you're using Ingress NGINX. For instance, by running this command :

kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx

the affected version of ingress NGINX are :

• < v1.11.0
• v1.11.0 - 1.11.4
• v1.12.0

Fix

• Update Ingress NGINX Controller to the latest version
• Ensure the admission webhook endpoint is not exposed externally.

⚠️ If you cannot perform an upgrade at the moment :

• Enforce network policies in a way that only the Kubernetes API can access the admission controller.
• Temporarily disable the admission controller component of Ingress NGINX.

Conclusion

Ingress Nightmare is based on 5 vulnerabilities: CVE-2025-1097, CVE-2025-1098, CVE-2025-24514 and CVE-2025-1974.

The exploitation of those vulnerabilities leads to unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster by attackers, which can result in cluster takeover.

Finally, it’s worth noting that a POC has been released.

Documentation

Kubernetes Issues :

• https://github.com/kubernetes/kubernetes/issues/131006
• https://github.com/kubernetes/kubernetes/issues/131007
• https://github.com/kubernetes/kubernetes/issues/131008
• https://github.com/kubernetes/kubernetes/issues/131009
• https://github.com/kubernetes/kubernetes/issues/131005

POC :

• https://github.com/sandumjacob/IngressNightmare-POCs

Complete report

• https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities

Definition

CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 are high-severity vulnerabilities affecting VMware ESXi, Workstation, and Fusion. These vulnerabilities allow attackers to potentially execute arbitrary code, escalate privileges, or leak sensitive information on the affected systems.

How it Works

These vulnerabilities specifically impact VMware’s hypervisors and virtualization products. Attackers can exploit these flaws through different mechanisms:

• CVE-2025-22224 is a TOCTOU (Time-of-Check Time-of-Use) vulnerability that allows local attackers with administrator privileges to execute arbitrary code on the ESXi or Workstation system. The issue arises when a user accesses a resource in an unsynchronized manner, potentially allowing the attacker to inject malicious code into the execution flow.
• CVE-2025-22225 enables local attackers to escalate their privileges within the system by exploiting an improper handling of certain memory operations. This flaw allows attackers to overwrite protected memory, which could lead to arbitrary code execution or a full system compromise.
• CVE-2025-22226 involves a memory leak in the affected VMware products. An attacker can exploit this flaw to gain access to sensitive information stored in the system's memory, compromising the confidentiality of the data. This vulnerability allows attackers to read memory that could contain confidential information, such as encryption keys or user credentials.

Impact

The impact of these vulnerabilities is significant, as they allow an attacker to gain unauthorized access or execute malicious actions within a virtualized environment. The potential effects are:

• Remote Code Execution (RCE): If successfully exploited, attackers can execute arbitrary code on the affected VMware system, taking control over the entire virtual environment.
• Privilege Escalation: Attackers can elevate their privileges, allowing them to perform actions normally restricted to high-level administrative users.
• Data Disclosure: Sensitive information can be leaked, increasing the risk of privacy violations and the theft of critical data.

These vulnerabilities pose an elevated risk to both production environments and test systems, as they directly affect the integrity and confidentiality of virtual machines and virtual networks.

Fix

To mitigate these vulnerabilities, VMware has released patches for the affected versions. Users are encouraged to apply these patches as soon as possible to prevent exploitation.

Steps to Apply the Fix:

1. Update to the latest VMware versions:

   • VMware ESXi 8.0: Update to ESXi80U3d-24585383 or ESXi80U2d-24585300
   • VMware ESXi 7.0: Update to ESXi70U3s-24585291
   • VMware Workstation 17.x: Update to 17.6.3
   • VMware Fusion 13.x: Update to 13.6.3

2. Disable Vulnerable Features (if updates are not yet available): In some cases, disabling certain features can temporarily mitigate the risk while waiting for patches:

   • Disable unnecessary or vulnerable virtual machine options.
   • Review and restrict access to vulnerable ports.

3. Verify Security Updates: Ensure that your system is updated by checking for the latest security patches released by VMware. Regularly visit VMware's official website or security advisories for the latest fixes.

Detection

To detect whether your system is vulnerable, perform the following checks:

1. Verify VMware Version:

   • For VMware ESXi, check the version using the command esxcli system version get.
   • For VMware Workstation and Fusion, check the version through the application interface or by using vmware -v.

2. Check for Known Exploit Triggers:

   • Ensure that the features associated with the CVEs (e.g., certain memory operations or resource access mechanisms) are not in use.
   • Check system logs for any unusual activity that might indicate an exploit attempt.

Conclusion

CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 are critical vulnerabilities affecting VMware’s ESXi, Workstation, and Fusion platforms. If left unaddressed, these flaws can result in severe consequences, including unauthorized code execution, privilege escalation, and sensitive data leakage. It is highly recommended that users of the affected VMware products apply the patches provided by VMware to mitigate the risks. Regularly checking for updates and monitoring system activity can help detect potential exploitation attempts and safeguard your virtualized environments.

Documentation

For more information and updates on these CVEs, refer to the following links:

• Zero-Day Vulnerabilities in VMware ESXi, Workstation and Fusion Exploited
• NVD CVE-2025-22224
• NVD CVE-2025-22225
• NVD CVE-2025-22226

Definition

CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177 are vulnerabilities affecting CUPS.

Those vulnerabilities allow an attacker to create a malicious printer, attach it to a CUPS server without any authentication, and execute remote commands on that server.

How it works

CUPS is vulnerable only when cups-browsed is enabled.

In that situation the port 631 is left opened, giving access to attackers to a vulnerable server that allows unrestricted access such as the public internet or an internal network where local connections are trusted.

Via an UDP-based protocol, an attacker can advertise a malicious IPP (Internet Printing Protocol) and thereby set up a malicious (virtual) printer. If a victim tries to print anything on that printer, the attacker will be able to execute remote commands on the CUPS server.

Impact

CUPS RCE has a medium impact of security:

• It allows attackers to execute remote code execution ONLY if the victim tries to print anything via the malicious printer.

Fix

Check your OS editor in order to see if they have already released a patch for those vulnerabilities or not.

If it's not the case, here are some mitigations steps you can apply in the meantime:

- Edit /etc/cups/cups-browsed.conf
- Search for the BrowseRemoteProtocols configuration option
- Set the option to none (the default value is "dnssd cups")
- Restart cups-browsed using systemctl restart cups-browsed

Another option is to disable cups-browsed service:

- systemctl disable --now cups-browsed

Here are some OS editors blogposts regarding those CVE and available patches:

• https://ubuntu.com/blog/cups-remote-code-execution-vulnerability-fix-available
• https://www.redhat.com/en/blog/red-hat-response-openprinting-cups-vulnerabilities
• https://security-tracker.debian.org/tracker/CVE-2024-47177
• https://security-tracker.debian.org/tracker/CVE-2024-47176
• https://security-tracker.debian.org/tracker/CVE-2024-47076
• https://security-tracker.debian.org/tracker/CVE-2024-47175

Detection

For Linux users check:

• If cups-browsed is enabled on your machine
• The version of CUPS. The affected versions of CUPS by the vulnerabilities are the following:
  • cups-browsed <= 2.0.1
  • cups-filters <= 2.0.1
  • libcupsfilters <= 2.1b1
  • libppd <= 2.1b1

For MacOS users, at the moment, there's no indication that your machine could be affected by those vulnerabilities.

Conclusion

CUPS RCE is based on 4 vulnerabilities : CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177.

They allow an attacker to perform remote code execution if a victim prints something on a malicious printer set on a vulnerable server with the help of cups-browsed.

So far, only Linux users are impacted depending on their version of CUPS and if the service is enabled or not.

Documentation

• https://ubuntu.com/blog/cups-remote-code-execution-vulnerability-fix-available
• https://www.redhat.com/en/blog/red-hat-response-openprinting-cups-vulnerabilities
• https://security-tracker.debian.org/tracker/CVE-2024-47177
• https://security-tracker.debian.org/tracker/CVE-2024-47176
• https://security-tracker.debian.org/tracker/CVE-2024-47076
• https://security-tracker.debian.org/tracker/CVE-2024-47175

Regresshion

Definition

CVE-2024-6387, named RegreSSHion, is a vulnerability affecting OpenSSH.

This vulnerability allows an attacker to remotely execute arbitrary code with Root privileges. This is a regression of CVE-2006-5051: the vulnerability was patched but reappeared after numerous software updates.

How it works

In order to authenticate an SSH session, the connecting user must complete the process within a given time. If this is not the case, a signal is sent by the system, SIGALRM, which is processed asynchronously and triggers actions at system level. The problem is that the actions triggered were not designed to be securely asynchronous.

If several conditions are met, an attacker can exploit this vulnerability to trigger a race condition: a situation in which a signal is processed while another action is executed. In this case, the action can be stopped prematurely and cause the system not to act as expected.

In the case of RegreSSHion, the race condition (if successfully exploited) leads to a memory boundary violation and remote code execution (RCE).

Impact

It is clear that RegreSSHion is a major security problem. It allows an attacker to potentially :

• Shut down hosts remotely
• Install malware and spyware on critical hosts
• Access critical data
• Create persistent access to critical hosts
• Erase access logs and manipulate proof of intrusion.

In order to exploit the vulnerability, an attacker needs to make a large amount of attempts (tens of thousands). As mentioned above, in order for the signal to be processed asynchronously, the user must wait a certain amount of time before sending attempts: this makes the attack very slow: it may take a few days. In addition, the attacker must create a custom payload for the specific version of the vulnerable package and operating system he is attacking.

Fix

There are two ways to mitigate this vulnerability. You can update the package if a patched version exists and you can set LoginGraceTime to 0 in the sshd_config file located in /etc /ssh /sshd_config. This should only be done if there is no corrected version, as this configuration makes the host vulnerable to a denial of service.

For the update part, you can follow the following guides to update your packages:

• Ubuntu: https://ubuntu.com/security/CVE-2024-6387

  • Jammy: 1:8.9p1-3ubuntu0.10
  • Mantic: 1:9.3p1-1ubuntu3.6
  • Noble: 1:9.6p1-3ubuntu13.3

• Debian: https://security-tracker.debian.org/tracker/CVE-2024-6387

  • Bullseye: 1:8.4p1-5+deb11u3
  • Bookworm (Security): 1:9.2p1-2+deb12u3
  • Sid: 1:9.7p1-7

Detection

To detect whether the vulnerability affects your system, you need to find the vulnerable packages.

Conclusion

RegreSSHion is a resurgence of a 2006 vulnerability identified as CVE-2006-5051.

It allows an attacker to execute code as root on unauthorised hosts. These hosts must have the vulnerable version of the OpenSSH packages, which can be found in the vendors' security advisories.

RegreSSHion has an impact on many systems as OpenSSH is widely used to secure access to other hosts.

An update is required to correct the problem.

Documentation

• https://nvd.nist.gov/vuln/detail/CVE-2024-6367
• https://nvd.nist.gov/vuln/detail/CVE-2006-5051
• https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server
• https://www.picussecurity.com/resource/blog/openssh-regresshion-cve-2024-6387-vulnerability-exploitation-mitigation
• https://seclists.org/oss-sec/2024/q3/2
• https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-009/
• https://www.kaspersky.com/blog/openssh-vulnerability-mitigation-cve-2024-6387-regresshion/51603/