Siemens Insights Hub Private Cloud

Act NowCVSS 9.8ICS-CERT ICSA-25-100-05Apr 8, 2025

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Insights Hub Private Cloud contains multiple vulnerabilities in the Ingress NGINX Controller for Kubernetes that could lead to arbitrary code execution within the ingress-nginx controller context, disclosure of Kubernetes Secrets accessible to the controller, or denial of service. The vulnerabilities affect all versions of the product and are related to input validation (CWE-20) and improper restriction of rendered UI layers (CWE-653).

What this means

What could happen

An attacker with network access to the Insights Hub Private Cloud instance could execute arbitrary code on the Kubernetes ingress controller, potentially gaining control of the cluster, accessing sensitive credentials stored as Kubernetes Secrets, or disrupting availability of the platform and dependent operations.

Who's at risk

Organizations running Siemens Insights Hub Private Cloud deployments should prioritize this update. This affects any facility using Insights Hub for cloud-based industrial data management, analytics, or edge computing integration, particularly those with internet-facing or DMZ-deployed instances.

How it could be exploited

An attacker with network access to the Insights Hub Private Cloud ingress service exploits input validation flaws in the NGINX controller to inject and execute arbitrary code, or crafts requests that trigger disclosure of Kubernetes Secrets or trigger resource exhaustion causing denial of service.

Prerequisites

Network access to the Insights Hub Private Cloud Ingress NGINX Controller service
No authentication required

remotely exploitableno authentication requiredlow complexityhigh EPSS score (90.3%)affects cloud/kubernetes infrastructure critical to OT data systemsarbitrary code execution capability

Exploitability

Likely to be exploited — EPSS score 91.1%

Public Proof-of-Concept (PoC) on GitHub (10 repositories)

Affected products (1)

ProductAffected VersionsFix Status

Insights Hub Private CloudAll versionsFix available

Remediation & Mitigation

0/5

Do now

0/2

HOTFIXContact Siemens customer support to obtain and deploy the latest patched version of Insights Hub Private Cloud

WORKAROUNDRestrict network access to the Insights Hub Private Cloud Ingress NGINX Controller to only authorized networks and users; block internet-facing exposure

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGDeploy the Insights Hub Private Cloud instance behind a firewall with strict ingress rules allowing only necessary ports and source IPs

HARDENINGRotate all Kubernetes Secrets and credentials accessible to the ingress controller as a precaution against potential disclosure

Long-term hardening

0/1

HARDENINGIf remote access to Insights Hub is required, implement a VPN or jump server architecture and ensure VPN software is kept current with security patches

CVEs (5)

CVE-2025-1097 CVE-2025-1098 CVE-2025-1974 CVE-2025-24513 CVE-2025-24514

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/72c4edb4-ad43-40b1-bfef-8069aee3bb56

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.