Help
Lacework
Access helpful articles and other FAQs on Lacework
mary
Staff
Staff

Created on ‎03-25-2025 10:02 AM Edited on ‎04-03-2025 09:14 PM By Community Manager

Article Id 384503

Technical Tip: How does Lacework FortiCNAPP Protect from CVE-2025-1974 in Ingress-NGINX Critical Command Injection Threat

Description

This article explains a critical command injection vulnerability, CVE-2025-1974, that has been identified in Kubernetes Ingress-NGINX. This issue occurs when --enable-annotation-snippets is active, allowing malicious headers to embed arbitrary commands into the generated NGINX configuration. Early evidence indicates attackers have already begun exploiting this weakness in live environments, leading to potential unauthorized access and lateral movement within Kubernetes clusters.
Scope

Affected Versions: Ingress-NGINX < v1.11.0, v1.11.0 - 1.11.4, v1.12.0, where snippet annotations are enabled (--enable-annotation-snippets=true). 

Attack Vector: Specially crafted HTTP headers that leverage snippet annotations (server-snippet) to inject commands. 

Potential Impact: 

  • Pod-Level Exploitation: Attackers can perform arbitrary commands within containers. 
  • Cluster-Wide Threat: Malicious actors can pivot to other services, escalate privileges, and access additional resources. 
Solution

1. Apply Official Patches: Upgrade to Ingress-NGINX versions 1.11.5, 1.12.1, or any later version.

2. Disable Snippet Annotations

  • Deactivate --enable-annotation-snippets unless custom server-snippet functionality is strictly required.
  • Reducing unnecessary configuration features helps minimized avenues for attack. 

3. Implement Continuous Security and Posture Analysis 

  • Posture analysis that detects high-risk Kubernetes settings, such as enabled snippet annotations, and identifies additional misconfigurations (e.g. privileged containers or open service ports). See Kubernetes Activity Policies for examples.

 

To explore advanced runtime threat detection capabilities, consider a demo of FortiCNAPP.

574
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.