This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
yuvalmamka
Employee
Employee
Thursday

CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974: Ingress NGINX Controller RCE (Critical)

Background

On March 24, 2025, WIZ Research disclosed critical vulnerabilities in the Kubernetes Ingress NGINX Controller that allow unsensitized user input to be injected into the temporary NGINX configuration file during validation. This unsensitized input, when processed by the nginx -t command, can lead to remote code execution (RCE) on the pod running the controller.
 
Additional information can be found in this blog.
 
Important Note: In order to exploit this vulnerability, the attacker must have network access to the ingress controller’s pod to send arbitrary AdmissionReview requests. While such access is not available by default in many environments, it can be achieved if the attacker gains a foothold within the cluster - such as through compromising another pod - or by leveraging SSRF vulnerabilities. This requirement raises the barrier for exploitation, although it does not eliminate the risk.
 

Updates to CloudGuard WAF Nano Agent for Kubernetes (K8s)

Our security team verified that our Helm chart deployment of open-appsec / Check Point CloudGuard WAF - which uses the Ingress NGINX Controller - was affected by these vulnerabilities. To address this issue, within 24 hours, we provided the fix by updating the controller to version 1.21.1, which includes all the necessary patches and improvements to ensure proper sanitization of user inputs during configuration generation.
 
To keep your systems safe, we recommend updating your NGINX helm. You can find all detailed deployment steps with updated Helm chart versions here: https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes-ingress
 
We highly recommend updating your deployment as soon as possible to ensure everything stays secure
 
You can find this message in a dedicated page in our docs as well: CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974: Ingress NGINX Controller RCE (Critical)...
 
4 Replies
yuvalmamka
Employee
Employee
Thursday

I can also approve that WAF as a Service I/S was not impacted by this disclosure.

0 Kudos
the_rock
Legend
Legend
yesterday
In response to yuvalmamka

Hi Yuval,

For regular gateways, is this all covered with latest IPS updates?

Andy

0 Kudos
yuvalmamka
Employee
Employee
yesterday
In response to the_rock

WAF Gateways were not impacted.

0 Kudos
the_rock
Legend
Legend
11 hours ago
In response to yuvalmamka

What about regular gateways?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    Sort by:
    Virtual

    Thu 03 Apr 2025 @ 10:00 AM (CEST)

    CheckMates Live BeLux: Cloudguard WAF
    Virtual

    Thu 03 Apr 2025 @ 10:00 AM (CEST)

    CheckMates Live BeLux: Cloudguard WAF
    All CloudMates Events