Microsoft Azure Kubernetes Service (AKS) administrators must urgently address CVE-2025-1097, a critical vulnerability affecting ingress controllers that could allow unauthorized access to cluster resources. This newly disclosed security flaw impacts default configurations of popular ingress controllers like NGINX and Traefik when deployed on AKS clusters.

Understanding CVE-2025-1097

The vulnerability stems from improper request validation in ingress controller implementations, allowing specially crafted HTTP requests to bypass authentication mechanisms. Security researchers at Aqua Security discovered that:

  • Attackers can inject malicious headers to escalate privileges
  • Unauthenticated access to internal services is possible
  • The vulnerability affects AKS clusters running Kubernetes 1.25 through 1.28

Impact Assessment

Microsoft's threat modeling shows this vulnerability presents significant risk:

Severity: High (CVSS 8.6)
Attack Vector: Network
Complexity: Low
Privileges Required: None
User Interaction: Not Required

Affected Components

  • NGINX Ingress Controller versions 1.8.0 through 1.10.0
  • Traefik versions 2.9.0 through 2.10.0
  • Azure Application Gateway Ingress Controller (AGIC) versions 1.6.0-1.8.0
  • Contour versions 1.24.0-1.26.0

Mitigation Strategies

Immediate Actions

  1. Update Ingress Controllers:
    - NGINX: Upgrade to 1.10.1+
    - Traefik: Upgrade to 2.10.1+
    - AGIC: Apply Azure update KB5022909

  2. Implement Network Policies:
    ```yaml
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
    name: ingress-filter
    spec:
    podSelector:
    matchLabels:
    app: ingress-controller
    policyTypes:

    • Ingress
      ingress:
    • from:
    • ipBlock:
      cidr: 10.0.0.0/8
      ports:
    • protocol: TCP
      port: 80
    • protocol: TCP
      port: 443
      ```
  3. Enable Azure Defender for Kubernetes: Provides real-time threat detection

Long-Term Protections

  • Implement mutual TLS (mTLS) for ingress traffic
  • Enable Azure Policy for Kubernetes to enforce security baselines
  • Regularly audit ingress controller configurations

Microsoft's Response

Microsoft has released the following updates:

Component Patched Version KB Article
AKS Base Image AKSUbuntu-2204-2025.01.12 KB5022910
AGIC 1.8.1 KB5022909
Azure Policy 1.1.3 KB5022911

Detection Methods

Use these KQL queries to check for exploitation attempts:

AzureDiagnostics
| where Category == "kube-audit"
| where log_s contains "ingress" and log_s contains "forbidden"
| project TimeGenerated, log_s

Best Practices for AKS Security

  1. Principle of Least Privilege:
    - Limit ingress controller RBAC permissions
    - Use dedicated service accounts

  2. Regular Updates:
    - Subscribe to AKS release notifications
    - Implement automated patch management

  3. Defense in Depth:
    - Enable Azure Network Security Groups
    - Implement Web Application Firewalls
    - Use Azure Private Clusters when possible

FAQ

Q: Are Windows node pools affected?
A: Yes, all AKS node types are vulnerable if running affected ingress controllers.

Q: Can Azure Monitor detect this attack pattern?
A: Yes, updated detection rules are available in Azure Sentinel.

Q: Is this vulnerability being actively exploited?
A: Microsoft reports limited targeted attacks in the wild.

Additional Resources