More than 40% of cloud environments are at risk of an account takeover due to a series of five recently discovered vulnerabilities — one regarded critical — in the Ingress Ngnix Controller for Kubernetes, according to security research published this week.

Upon discovering the string of vulnerabilities in one of most widely used ingress controllers for Kubernetes, Wiz researchers described the potential risk as an “IngressNightmare” in a blog post Monday. The most serious defect, an unauthenticated remote code execution vulnerability tracked as CVE-2025-1974, has a CVSS score of 9.8.

Security researchers told CyberScoop they aren’t aware of any active exploitation, but the risk for publicly exposed and unpatched Ingress Nginx controllers is extremely high. 

“The exploit chain is unauthenticated and a target is vulnerable in a default configuration,” Stephen Fewer, principal security researcher at Rapid7, said in an email. “With exploit code for CVE-2025-1974 starting to be published online, Kubernetes administrators should remediate publicly-exposed instances on an urgent basis.”

Ingress Nginx maintainers released patches for CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2025-24513 and CVE-2025-24514 on Monday. Wiz reported CVE-2025-1974 and CVE-2025-24514 to Kubernetes on Dec. 31, 2024. 

Attackers can exploit CVE-2025-1974 and achieve unauthenticated remote code execution by chaining it to one of three high-severity configuration injection vulnerabilities: CVE-2025-1097, CVE-2025-1098 or CVE-2025-24514.

Successful exploitation could allow attackers to access cluster-wide secrets, including passwords or tokens,  or completely take over a cluster, Fewer said. 

Researchers are especially concerned about the potential risk of exploitation because Ingress Nginx Controller is so widely used across Kubernetes environments. 

The open-source tool is deployed in more than 2 in 5 Kubernetes clusters, according to Tabitha Sable, co-chair of SIG Security and member of the Kubernetes Security Response Committee. 

“When combined with today’s other vulnerabilities, CVE-2025-1974 means that anything on the pod network has a good chance of taking over your Kubernetes cluster, with no credentials or administrative access required,” Sable said in a blog post Monday.

The pod network is typically accessible to all workloads in a virtual private cloud and anyone connected to the corporate network, Sable added. “This is a very serious situation.”

Wiz researchers said about 43% of cloud environments, spanning more than 6,500 Kubernetes clusters, including some used by Fortune 500 companies, were potentially at risk of exploitation Monday. Censys scans found about 5,000 publicly exposed and potentially vulnerable hosts Tuesday.

Several public proof-of-concept exploit scripts for the vulnerabilities have appeared online, Fewer said. 

“Due to the root cause of the vulnerabilities being logic-based issues, these vulnerabilities are both relatively simple to exploit, and exploitation is expected to be reliable,” Fewer said. 

“An attacker must first identify an accessible and vulnerable Ingress Nginx controller in a target Kubernetes cluster, along with the admission controller service belonging to that Ingress controller,” he added. “Once a viable target has been identified, the difficulty in exploiting the target will be low.”

The post String of defects in popular Kubernetes component puts 40% of cloud environments at risk appeared first on CyberScoop.

from CyberScoop https://ift.tt/7SK6iNf
via IFTTT

A federal appeals court overruled a district court judge’s sentence for Capital One hacker Paige Thompson this week, deciding that the sentence of five years’ probation plus time served was too lenient.

Describing the hack as the “second largest data breach in the United States at the time, causing tens of millions of dollars in damage and emotional and reputational harm to numerous individuals and entities,” two of three judges from the 9th Circuit Court of Appeals said they believed that the sentence was “substantially unreasonable.”

In deciding on the original sentence in 2022, U.S. District Judge Robert Lasnik considered that Thompson was transgender, autistic and had suffered past trauma. He raised the prospect of Bureau of Prisons decisions under a future presidential administration making life more difficult for transgender inmates. He also noted that the hack wasn’t done in a “malicious manner” and that Thompson was “tormented” about her activities.

Thompson was charged with stealing data on 106 million Capital One customers after taking advantage of a misconfigured firewall in the bank’s cloud computing system. Over the course of the investigation, the government found terabytes of additional data Thompson took from more than 30 organizations.

Prosecutors swiftly appealed the sentence, with then-U.S. Attorney Nick Brown saying “this is not what justice looks like.” They argued that the judge gave too much weight to Thompson’s history and personal characteristics.

“We agree that the district court overemphasized Thompson’s personal story,” Judge Danielle Forrest wrote, with Judge Johnnie Rawlinson concurring. “Thompson’s personal background and characteristics are, of course, proper considerations at sentencing, but they may not be the sole basis for the chosen sentence.”

The ruling also disputed the district judge saying the hack wasn’t malicious, or that Thompson was tortured over her behavior. Thompson, a former Amazon Web Services software engineer, blamed victims’ incompetence for the theft and encouraged others to hack them, and she also bragged about what she did, the ruling states.

Therefore, with a maximum sentence of 210 months, the sentence was too lenient, it reads.

President Donald Trump appointed Forrest. President Bill Clinton appointed Rawlinson. The third appeals court judge, Jennifer Sung, appointed by President Joe Biden, took issue with the duo’s decision.

What matters most is whether the district judge engaged in “abuse of discretion,” such as a procedural error, and there’s no sign of that in the Thompson sentence, Sung wrote.

The full quote on Lasnick’s “malicious manner” comment sheds more favorable light on the judge’s viewpoint, Sung observed. Lasnik said did not act “in the malicious manner that you want to punish, to the same degree as somebody who gets that information and immediately turns to monetizing it in some way,” Sung noted. Thompson also showed signs of being tormented over her activities, openly seeking jail or death.

While the majority said prospective future administrations’ actions on transgender inmates shouldn’t play a role in sentencing, Sung said the district court correctly noted that it was  ​​“dealing with Paige Thompson, what she did, who she is, is the dilemma before the court today,” and therefore the sentence gave proper weight to her being transgender.

The Center for Cybersecurity Policy and Law, in a friend of the court brief in support of the government appeal, said it wouldn’t give its opinion on how long Thompson’s sentence should be. But it asked the court to clarify one element in its ruling.

“It is critical for legal frameworks to maintain the distinction between good-faith security research and harmful criminal activities,” it wrote in its brief. “The Center is interested in this proceeding because a perception that the sentencing at issue was based on the Defense’s arguments in the District Court that the charged conduct was good-faith security research risks eroding the distinction between good-faith security research and harmful criminal activity.

“Addressing this distinction is needed to ensure ethical research is not conflated with actions like the Defendant’s and thus prevent undermining trust between the security, business, and policy communities,” it continued.

The appeals court ruling made no mention of good-faith security research.

Mo Hamoudi, an attorney for Thompson, did not immediately respond to requests for comment.

The case is being sent back to the district court level for resentencing.

The post Capital One hacker Paige Thompson got too light a sentence, appeals court rules appeared first on CyberScoop.

from CyberScoop https://ift.tt/omfKa7B
via IFTTT