eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
IngressNightmare
Bottom Line: On March 24th, Wiz Research released a detailed report on a series of vulnerabilities found within Ingress NGINX Controller for Kubernetes called IngressNightmare. Organizations are urged to apply relevant security patches as soon as possible as Proof of Concept (PoC) exploit code has been released.
On March 24th, Kubernetes released an advisory, providing details on a series of critical vulnerabilities found within Ingress NGINX Controllers, and confirming that security patches are available. Ingress is a Kubernetes feature that allows workload Pods to be exposed to the Internet for their defined use, while the Ingress Controller is used as a reverse proxy and load balancer, providing an entry point for external traffic to services inside the cluster. Due to its ease of use and versatility, ingress-nginx is deployed in over 40% of Kubernetes clusters.
In a blog post released on the same day, Wiz Research provided details on their discovery of the vulnerabilities in December 2024 and January 2025, and a timeline of Wiz and Kubernetes working together on creating and testing security patches, prior to public disclosure. Wiz Research dubbed the series of vulnerabilities as IngressNightmare and provide a breakdown of the vulnerabilities in their blog post. Wiz Research reports that when the vulnerabilities are chained together, exploitation can lead to unauthorized access to all secrets stored across all namespaces within the Kubernetes cluster, resulting in cluster takeover. Patched versions of Ingress NGINX were released on March 24th and include versions 1.11.5 and 1.12.1.
CVE-2025-1097, CVE-2025-1098, and CVE-2025-24514 (CVSS: 8.8) are all Remote Code Execution (RCE) vulnerabilities, that involve Ingress annotations being used to inject configuration into NGINX, leading to arbitrary code execution in the context of the ingress-nginx controller and disclosure of secrets. CVE-2025- 1974 (CVSS: 9.8) allows for an unauthenticated attacker with access to the pod network being able to achieve arbitrary code execution in the context of the ingress-nginx controller, under certain conditions. A fifth vulnerability involving directory traversal, CVE-2025-24513 (CVSS: 4.8), was also identified but was not included in the IngressNightmare chain as it does not lead to RCE. Proof-of Concept (PoC) exploit code for the IngressNightmare exploit was published on GitHub on March 26th by Hakai Security.
eSentire Threat Intelligence Analysis:
Due to the widespread usage of Ingress NGINX within Kubernetes clusters, many organizations are likely impacted by these vulnerabilities. The release of PoC exploit code is an indicator that a vulnerability is likely to be targeted by threat actors in the near future, as it simplifies the attack process for even less skilled actors. A recent example of PoC code being used upon release was reported by Forescout, which involved threat actors utilizing default exploit code relating to recent FortiOS vulnerabilities within days of its public release, which resulted in the deployment of SuperBlack ransomware.
Although there are currently no reports on exploitation of IngressNightmare at the time of writing, given the widespread usage of Ingress-NGINX and availability of exploit code, exploitation of these vulnerabilities will likely be observed in the near future and continue to increase. Organizations are urged to apply the recommended security patches as soon as possible. If patching is not possible, organizations are advised to apply the recommended mitigation steps, which include enforcing strict network policies to only allow the Kubernetes API Server to access the admission controller or temporarily disable the admission controller component of Ingress-NGINX until patches can be applied.
eSentire's Managed Vulnerability Service (MVS) has plugins in place to detect vulnerable instances of Ingress-NGINX Controllers, and eSentire MDR for Network has detections in place monitoring for exploitation of CVE-2025-1097, CVE-2025-1098, and CVE-2025-24514. eSentire's Threat Response Unit (TRU) is currently tracking IngressNightmare and evaluating available information for further detection opportunities.
Critical Next.js Vulnerability
Bottom Line: Next.js released a security advisory addressing a critical authorization bypass vulnerability in the Next.js framework. Given the widespread adoption of Next.js and the release of PoC exploit code, it is crucial to address CVE-2025-29927 as quickly as possible.
On March 22nd, Next.js released a security advisory addressing a critical authorization bypass vulnerability in the framework. Next.js is a React framework used for building interactive web applications. It is widely adopted by developers across various industries due to its features that facilitate the creation of complex web applications. The vulnerability, tracked as CVE-2025-29927 (CVSS: 9.1), allows an attacker to bypass authorization checks enforced by the middleware. This could grant threat actors access to restricted pages intended for admins or users with higher privileges. The vulnerability resides in the middleware of the Next.js framework, which serves multiple purposes, including path rewriting, server-side redirects, adding elements such as headers to the response and, most importantly, managing authentication and authorization.
In late February, security researcher Rachid Allam discovered a critical vulnerability in Next.js and subsequently shared the technical details and a Proof-of-Concept (PoC) exploit code related to the flaw. The vulnerability stems from how the Next.js middleware function (runMiddleware) processes the "x- middleware-subrequest" request header. By modifying the value of this header, an attacker can bypass the middleware checks entirely. CVE-2025-29927, can be exploited to bypass authorization controls to access admin pages and other protected routes, to circumvent the Content Security Policy (CSP) header, which could potentially lead to Cross-Site Scripting (XSS) attacks, and to execute Denial-of-Service (DoS) attacks through cache poisoning.
It is important to note that the Akamai Security Intelligence Group (SIG) has observed initial exploit attempts targeting this vulnerability. These exploitation attempts closely resemble PoC code released by the security researchers, who were acknowledged for identifying the vulnerability, along with technical details about the issue. Successful exploitation of this vulnerability is not confirmed at the time of writing.
eSentire Threat Intelligence Analysis:
As Next.js is widely used and PoC exploit code has been released, it is critical that organizations remediate CVE-2025-29927 immediately. Applications that are self-hosted on Next.js and utilize middleware for access control mechanisms, such as authentication and authorization, are especially vulnerable if they are using an outdated version of Next.js. In contrast, applications deployed on platforms like Vercel, Netlify, or those that are statically deployed and do not rely on middleware are not affected by this vulnerability.
The eSentire Threat Intelligence team issued a security advisory warning that real-world exploitation of vulnerability is likely to happen in the near future. A report from DataDOG security labs details instances of exploitation activity originating from various IP addresses and different User-Agent strings. Furthermore, observations from the Akamai Security Intelligence Group (SIG) indicate that threat actors are actively scanning the Internet for servers affected by the vulnerability.
It's crucial for organizations to promptly apply the necessary security patches and upgrade to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3. If patching is not immediately possible, Next.js has recommended blocking any external requests that contain the "x-middleware-subrequest" header from reaching the web application. In response to these future threats, eSentire's Tactical Threat Response team has developed eSentire MDR for Network detections to identify exploitation attempts. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify vulnerable devices. The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities.
Oracle Cloud Breach
Bottom Line: A threat actor claims to have compromised Oracle Cloud's login servers and is offering to sell stolen data. Oracle is denying the claims but information provided by the threat actor offers some credibility to their claim.
On March 21st, a threat actor operating under the name rose87168 posted to the darkweb community BreachForums, claiming to have compromised Oracle Cloud’s login servers and offering to sell 6 million data records. In response, Oracle denied the claim stating, “There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud”.
The stolen data includes “JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys” allegedly stolen from login.(region name).oraclecloud.com. Rose87168 claimed to have breached the server 40 days before its disclosure on the darkweb, affecting over 140K tenants. The threat actor also claimed to have contacted Oracle after exfiltrating data from US and EM2 cloud regions demanding 100,000 XMR (Monero cryptocurrency). The threat actor would share the details on how the servers were breached in exchange for the ransom. It was after Oracle allegedly denied ransom payment, rose87168 disclosed the breach on the darkweb forum informing affected companies to pay a “specific amount” for data removal. The threat actor is willing to trade data for zero-day exploits if the organizations fail to make ransom payments.
Rose87168 confirmed of exploiting a publicly known vulnerability with no Proof-of-Concept (PoC) exploit code available to breach the servers. Cybersecurity firm CloudSEK while investigating the breach of the server (login.us2.oraclecloud.com) identified there was a vulnerability in the Oracle fusion middleware hosted on the server. CVE-2021-35587, impacting Oracle Access Manager allows an unauthenticated attacker with network access via HTTP.
Rose87168 was identified to be a new user on BreachForums, active since January 2025. The account has no history of involvement in previous attacks. The user's initial activity on the forum, which involved seeking help with the decryption of stolen SSO passwords, suggesting a lack of experience. Additionally, Oracle's rejection of the breach further raised doubts about the credibility of the threat actor's claims. To provide evidence of the breach, rose87168 shared a sample list of customer details and uploaded a file to "login.us2.oraclecloud.com", which included the attacker’s email. According to CloudSEK, the “volume and structure of the leaked information make it extremely difficult to fabricate”.
On March 25th, rose87168 shared an additional 10,000 lines of data they claim was stolen from Oracle Cloud, which contains information from at least 1,500 organizations. While Oracle still denies that a breach has occurred, details shared by the threat actor (rose87168) add a level of credibility to their claim. Independent security researchers claimed to have verified the legitimacy of the breach. Some Oracle customers have also verified that their data was part of the sample.
eSentire Threat Intelligence Analysis:
While the credibility of the threat actor, Rose87168, remains in question, their actions clearly indicate a financial motive. They are demanding payments from affected organizations, with the threat of selling the stolen data on the dark web if their demands are not fulfilled. The threat actor has expressed a willingness to provide more evidence but insists on sharing it via email. This suggests the attacker aims to maintain the value of the data by withholding evidence. Until Oracle provides concrete evidence that a breach did not occur, and the released information is not legitimate; organizations should treat the breach as legitimate and take appropriate response actions.
In the short term, there is an increased risk of phishing, malspam, and social engineering attacks targeting email addresses released in the sample data, while longer term risks include the decryption of stolen authentication data which could be used to access Oracle Cloud customer environments. One incident of breach at Oracle Health impacting multiple US healthcare organizations and hospitals was disclosed by the cybersecurity firm Bleeping Computer on March 28th. There is no direct evidence linking two incidents but the confirmation of Oracle Health compromise soon after the rose87168’s claims of breaching Oracle Cloud suggest they might be connected.
Organizations are strongly encouraged to reset all potentially impacted Oracle SSO and LDAP passwords. If not already in place, these systems should be protected with Multi-Factor Authentication (MFA) to reduce the risk of potentially leaked credentials being employed for access. SSO/SAML/OIDC secrets/certificates associated with the potentially compromised LDAP configuration may also be replaced. Oracle support should be contacted to rotate tenant-specific identifiers, and to discuss other remediation options for a potential breach.
Organizations contacted by rose87168 or other threat actors are recommended to contact law-enforcement and avoid paying any ransom demand; paying ransom or extortion demands does not guarantee that threat actors will delete stolen data. Organizations are recommended to employ an efficient and regular backup system to ensure recovery in case of any breach of the sensitive data.
The eSentire Threat Intelligence team is actively investigating the threat actor claims; as always, threat actor claims should be viewed skeptically until validated. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to CVE-2021-35587.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
