Ivanti has released updates for Endpoint Manager Mobile (EPMM) which addresses one medium and one high severity vulnerability. When chained together, successful exploitation could lead to unauthenticated remote code execution.

We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure.

Mitigation or Workaround

Customers can mitigate the threat by following best practice guidance of filtering access to the API using either the built in Portal ACLs functionality or an external WAF. You can find additional information on using the Portal ACLs functionality HERE.

• The risk to customers is significantly reduced if they already filter access to the API using either the built in Portal ACLs functionality or an external WAF.
• When reviewing or implementing additional API restrictions, please ensure you are using the “API Connection” type.
• We do NOT recommend using the “ACLs” functionality, as it blocks all access by network ranges, not just access to specific functionality.
• While this is an effective mitigation, it could impact the functionality of your solution depending on your specific configurations. In particular integrations where IPs are difficult to determine or change often will be impacted, such as:
• Windows Device Registrations using Autopilot
• Microsoft Device Compliance and Graph API integrations
• Additionally, an RPM file can be provided if customers need an alternative option. Customers will need to open a Support Case to receive the RPM file. Here's a step-by-step guide to install the RPM file:
• Use SSH to connect to the instance and log in to the system CLI as the admin user. The admin account is created during system installation.

• Type enable and provide the corresponding system password (set during the system installation) to enter EXEC PRIVILEGED mode. You’ll notice the command line prompt changes from > to #.

  • Run the command install rpm url https://hostname/pathtorpm to download and install the RPM file.
  • Once the RPM installation is complete, type reload to restart the system. This will apply the update effectively.

The RPM file has been tested on supported versions of EPMM (versions 12.3, 12.4. and 12.5). The RPM may work on older versions, but Ivanti has not tested the mitigation on unsupported versions. We strongly recommend customers move to a supported version of the product.

Ref: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US

Related vulnerabilities: CVE-2025-4427CVE-2025-4428

Security Advisory Ivanti EPM 2022 SU6 and EPM 2024 (Multiple CVEs)

Summary

Ivanti has released updates for Ivanti Endpoint Manager which addresses medium and high vulnerabilities.

We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure.

ding

Ref: https://forums.ivanti.com/s/article/Security-Advisory-EPM-April-2025-for-EPM-2024-and-EPM-2022-SU6?language=en_US

Related vulnerabilities: CVE-2025-22464CVE-2025-22459CVE-2025-22465CVE-2025-22461CVE-2025-22458CVE-2025-22466

Vulnerabilities have been discovered in Ivanti Connect Secure (ICS), (formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways and a patch is available now. These vulnerabilities impact all supported versions – Version 9.x and 22.x (refer to Granular Software Release EOL Timelines and Support Matrix for supported versions).

We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure.

Refer to KB43892 – What releases will Pulse Secure apply fixes to resolve security vulnerabilities for our End of Engineering (EOE) and End of Life (EOL) policies.

Update 17 April: An issue that was initially identified as a product defect, disclosed in the release notes, and fixed in the patch released on 3 April has since been identified as a security issue and we are reporting it as CVE-2024-29205. Customers who have applied the patch released on 3 April are protected from this vulnerability, and no other action is required. Following the public disclosure, we are aware of a limited number of customers who have been impacted by this vulnerability.

Related vulnerabilities: CVE-2024-22023CVE-2024-21894CVE-2024-22053CVE-2024-29205CVE-2024-22052

Viasat Modems Zero-Day Vulnerabilities Let Attackers Execute Remote Code

A severe zero-day vulnerability has been uncovered in multiple Viasat satellite modem models, including the RM4100, RM4200, EM4100, RM5110, RM5111, RG1000, RG1100, EG1000, and EG1020.

Identified by ONEKEY Research Lab through automated binary static analysis, the flaw, tracked as CVE-2024-6198, affects the “SNORE” web interface running on lighttpd over TCP ports 3030 and 9882.

Excerpts of the lighttpd configuration

With a CVSS score of 7.7 (High), this vulnerability enables unauthenticated remote code execution (RCE) by exploiting a stack buffer overflow due to insecure path parsing in the index.cgi binary.

- Advertisement -

This critical issue, discovered on the day a customer enabled binary zero-day analysis on ONEKEY’s platform, exposes devices to potential compromise over LAN or OTA interfaces, posing significant risks to sensitive infrastructures relying on these modems.

Technical Details and Exploitation Path

The vulnerability stems from flawed handling of HTTP requests within the SNORE interface’s CGI binary located at /usr/local/SNORE.

Specifically, environment variables REQUEST_METHOD and REQUEST_URI are processed unsafely during GET, POST, or DELETE requests.

Analysis Configuration

An unsafe call to sscanf extracts URI components into a fixed-size buffer without proper bounds checking, allowing attackers to overflow the stack by crafting malicious requests, such as http://192.168.100.1:9882/snore/blackboxes/ followed by 512 repeated characters.

This overflow grants control over critical registers, including the program counter, enabling attackers to hijack execution flow.

Despite the binary’s non-executable stack hardening, exploitation remains feasible through return-oriented programming (ROP) chains, reusing existing code blocks to execute arbitrary code.

Affected firmware versions include those below 3.8.0.4 for RM4100, RM4200, and EM4100, and up to 4.3.0.1 for other models, with fixes deployed in versions 3.8.0.4 and 4.3.0.2, respectively.

Viasat has rolled out automated over-the-air updates, and users are urged to ensure their devices are online to receive patches and to verify the updated firmware version via the administrative interface.

This discovery underscores the systemic risks posed by opaque firmware in critical devices and the power of proactive binary analysis in uncovering latent threats.

According to the Report, ONEKEY’s automated firmware inspection, which flagged the issue during routine daily monitoring, highlights the necessity of such tools for OEMs and integrators to safeguard connected environments.

The coordinated disclosure process with Viasat, initiated on May 15, 2024, showcased effective communication despite multiple deadline extensions, culminating in public disclosure on May 25, 2025, after ensuring a significant ratio of devices in the field were patched.

Nevertheless, the incident emphasizes the urgent need for transparency in embedded software to mitigate risks in modern infrastructures.

As satellite modems underpin vital communication networks, such vulnerabilities could have far-reaching consequences if left unaddressed, making diligent firmware scrutiny and timely updates non-negotiable for security.

*Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!*

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Related vulnerabilities: CVE-2024-6198CVE-2024-6198

Security Advisory

SonicWall SMA100 SSL-VPN Affected By Multiple Vulnerabilities

9.8

Overview

Summary

1. Path traversal vulnerability – attributed to publicly known Apache HTTP Server vulnerability (CVE-2024-38475)

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to file system locations that are permitted to be served by the server.

CVSS Score: 9.8 
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-35: Path traversal vulnerability

1. CVE-2024-40763 - SonicWALL SMA100 Heap-based buffer overflow vulnerability

Heap-based buffer overflow vulnerability in the SonicWall SMA100 SSLVPN due to the use of strcpy. This allows remote authenticated attackers to cause Heap-based buffer overflow and potentially lead to code execution.

CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-122: Heap-based Buffer Overflow

1. CVE-2024-45318 - Stack-based buffer overflow vulnerability

A vulnerability in the SonicWall SMA100 SSLVPN web management interface allows remote attackers to cause Stack-based buffer overflow and potentially lead to code execution.

CVSS Score: 8.1
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-121: Stack-based Buffer Overflow

1. CVE-2024-45319 - Certificate-based authentication bypass

A vulnerability in the SonicWall SMA100 SSLVPN allows a remote authenticated attacker can circumvent the certificate requirement during authentication.

CVSS Score: 6.3
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE-798: Use of Hard-coded Credentials

1. CVE-2024-53702 - Insecure randomness

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in the SonicWall SMA100 SSLVPN backup code generator that, in certain cases, can be predicted by an attacker, potentially exposing the generated secret.

CVSS Score: 5.3
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

1. CVE-2024-53703 - Stack-based buffer overflow vulnerability

A vulnerability in the SonicWall SMA100 SSLVPN mod_httprp library loaded by the Apache web server allows remote attackers to cause Stack-based buffer overflow and potentially lead to code execution.

CVSS Score: 8.1
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-121: Stack-based Buffer Overflow

SonicWall SSL VPN SMA1000 series products are not affected by these vulnerabilities.

SonicWall strongly advises users of the SMA 100 series products (SMA 200, 210, 400, 410, and 500v) to upgrade to the mentioned fixed release version to address these vulnerabilities.

Affected Product(s)

SonicWall SSL VPN SMA1000 series products are not affected by these vulnerabilities.

CPE(s)

Workaround

None

Fixed Software

Comments

During further analysis, SonicWall and trusted security partners identified an additional exploitation technique using CVE-2024-38475, through which unauthorized access to certain files could enable session hijacking. SMA100 devices updated with the fixed firmware version 10.2.1.14-75sv are not vulnerable to CVE-2024-38475 or the related session hijacking technique described.

Note: This is potentially being exploited in the wild.

SonicWall PSIRT recommends that customers review their SMA devices to ensure no unauthorized logins.

Credit(s)

Alain Mowat of Orange Cyberdefense, Switzerland.

Revision History

• Version

• 1.0

• Date

• 04-Dec-2024

• Description

• Initial Release.

---------------------------------------

• Version

• 1.1

• Date

• 05-Dec-2024

• Description

• Updated credit(s) section - Included vulnerability researcher name.

---------------------------------------

• Version

• 1.2

• Date

• 29-Apr-2025

• Description

• Comment added - During further analysis, SonicWall and trusted security partners identified an additional exploitation technique using CVE-2024-38475, through which unauthorized access to certain files could enable session hijacking. SMA100 devices updated with the fixed firmware version 10.2.1.14-75sv are not vulnerable to CVE-2024-38475 or the related session hijacking technique described

Reference(s)

Source https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0018

Related vulnerabilities: CVE-2024-40763CVE-2024-45318CVE-2024-38475CVE-2024-45319CVE-2024-53702CVE-2024-53703

PHP Core Security Audit Results

Published on Apr 10, 2025 by Roman Pronskiy

News

The PHP Foundation is pleased to announce the completion of a comprehensive security audit of the PHP source code (php/php-src), commissioned by the Sovereign Tech Agency.

This initiative was organized in partnership with the Open Source Technology Improvement Fund (OSTIF) and executed by the esteemed security group Quarkslab.

Audit Overview

Conducted over a two-month period in 2024, the audit encompassed:

• Development of a threat model tailored to php-src
• Manual code reviews
• Dynamic testing procedures
• Cryptographic assessments

The collaboration between Quarkslab’s auditors and PHP maintainers ensured a thorough examination of the codebase.

⚠️
Due to budget constraints, the recent security audit focused on the most critical components of the PHP source code rather than the entire codebase. Organizations interested in sponsoring a comprehensive audit or additional assessments are encouraged to contact us!
⚠️

Key Findings

The audit identified 27 issues, with 17 having security implications:

• 3 High-severity
• 5 Medium-severity
• 9 Low-severity

Additionally, 10 informational findings were reported.

Notably, four vulnerabilities received CVE identifiers:

• CVE-2024-9026: Log tampering vulnerability in PHP-FPM, allowing potential manipulation or removal of characters from log messages.
• CVE-2024-8925: Flaw in PHP’s multipart form data parsing, potentially leading to data misinterpretation.
• CVE-2024-8928: Memory-related vulnerability in PHP’s filter handling, leading to segmentation faults.
• CVE-2024-8929: Issue where a malicious MySQL server could cause the client to disclose heap content from other SQL requests.

Recommendations and Resolutions

Quarkslab’s report commended the overall high quality and specification adherence of the php/php-src project.

The PHP development team has addressed all identified issues. Users are strongly encouraged to upgrade to the latest PHP versions to benefit from these security enhancements.

Acknowledgments

We extend our gratitude to the individuals and organizations that made this audit possible:

• The PHP Foundation Team and PHP maintainers:
  Jakub Zelenka, Arnaud Le Blanc, Niels Dossche, Ilija Tovilo, Stas Malyshev, Dmitry Stogov, Derick Rethans, and Roman Pronskiy.
• Quarkslab Team:
  Angèle Bossuat, Julio Loayza Meneses, Mihail Kirov, Sebastien Rolland, Ramtine Tofighi Shirazi.
• Sovereign Tech Agency:
  Abigail Garner and the team – for commissioning the audit and all the help.
• OSTIF:
  Amir Montazery, Derek Zimmer, Helen Woeste – for organizing the collaboration.

This audit underscores our commitment to enhancing PHP’s security and reliability. We remain dedicated to ongoing improvements and collaborations to ensure PHP’s robustness for the global development community.

Further Reading

• Audit Report
• OSTIF Blog
• Quarkslab Blog

If your company is interested in commissioning another round of security audit, please contact The PHP Foundation team: contact@thephp.foundation.

Related vulnerabilities: CVE-2024-8929CVE-2024-9026CVE-2024-8928CVE-2024-8925

CVE ID: CVE-2025-3469 CVE-2025-32696 CVE-2025-32697 CVE-2025-32698 CVE-2025-32699 CVE-2025-32700

Multiple security issues were discovered in MediaWiki, a website engine for collaborative work, which could result in information disclosure, cross-site scripting or restriction bypass.

Reference https://security-tracker.debian.org/tracker/source-package/mediawiki

For the stable distribution (bookworm), these problems have been fixed in version 1:1.39.12-1~deb12u1.

Related vulnerabilities: CVE-2025-32699CVE-2025-3469CVE-2025-32698CVE-2025-32696CVE-2025-32697CVE-2025-32700

Microsoft has released its monthly security update for April of 2025 which includes 126 vulnerabilities affecting a range of products, including 11 that Microsoft marked as “critical”.

In this month's release, none of the included vulnerabilities have been observed by Microsoft to be exploited in the wild. The eleven "critical” entries are all remote code execution (RCE) vulnerabilities, four of which have been marked as "Exploitation more likely".

Two of the “critical” vulnerabilities listed affect components of the Windows Remote Desktop Services.

CVE-2025-27480 and CVE-2025-27482 are RCE vulnerabilities in components of the Remote Desktop Gateway Service. Both vulnerabilities were given a CVSS 3.1 score of 8.1. To successfully exploit these an attacker could connect to a system with the Remote Desktop Gateway role and trigger a race condition to create a use-after-free scenario, potentially allowing arbitrary code to be executed. Microsoft has assessed that the attack complexity is “high”, and exploitation is “More likely”.

CVE-2025-26663 is an RCE vulnerability in the Windows Lightweight Directory Access Protocol (LDAP) and has been given a CVSS 3.1 score of 8.1. This could be exploited by an attacker by sending a specially crafted LDAP call to trigger a use-after-free vulnerability, allowing arbitrary code to be executed in the context of the LDAP service. An attacker could initiate this by sending a victim an email or message containing a malicious link. Microsoft has assessed that exploitation is “more likely” and that the attack complexity is “high”.

CVE-2025-26670 is a RCE vulnerability in the Lightweight Directory Access Protocol (LDAP) Client and has been given a CVSS 3.1 base score of 8.1. An attacker could exploit this vulnerability by sending sequential specially crafted LDAP requests to a vulnerable LDAP server. Successful exploitation would require an attacker to win a race condition, which could result in a use-after-free that would allow for arbitrary code execution. Microsoft states that exploitation of this vulnerability is “More likely” and that the attack complexity is “high”.

CVE-2025-26686 is an RCE vulnerability in Windows TCP/IP and has been given a CVSS 3.1 base score of 7.5. Due to improperly locked memory in Windows TCP/IP, this vulnerability could allow an attacker to execute arbitrary code over a network. To exploit this an attacker must wait for a user to initiate a connection and send a DHCPv6, to which the attacker would reply with a DHCPv6 response containing a fake IPv6 address. Successful exploitation requires the attacker to win a race condition and make several preparations in the target environment beforehand. Due to this complexity Microsoft has determined that exploitation is "Less likely".

CVE-2025-27491 is an RCE vulnerability in Windows Hyper-V and has a CVSS 3.1 base score of 7.1. An attacker with guest privileges on a network could exploit this by convincing a victim to click a link to a malicious site. Microsoft has determined that exploitation of this vulnerability is “Less likely” and that the attack complexity is “high”.

CVE-2025-29791 is an RCE vulnerability in Microsoft Excel and has a CVSS 3.1 base score of 7.8. An attacker could exploit this by sending a specially crafted document to a victim that triggers a type confusion when opened. Once triggered, the type confusion could lead to arbitrary code execution. Microsoft has assessed that exploitation of this vulnerability is "Less likely".

CVE-2025-27752 is another RCE vulnerability in Microsoft Excel and has a CVSS 3.1 score of 7.8. This is a heap overflow vulnerability and can be exploited by an attacker to locally execute arbitrary code. It has been assessed that exploitation of this vulnerability is considered "Less likely".

CVE-2025-27745, CVE-2025-27748 and CVE-2025-27749 are RCE vulnerabilities in Microsoft Office and all have a CVSS 3.1 base score of 7.8. These could be exploited by an attacker by triggering a use-after-free scenario, allowing for the execution of arbitrary code. Microsoft has determined that exploitation for each is considered "Less likely".

Talos would also like to highlight the following "important" vulnerabilities as Microsoft has determined that exploitation is "More likely":

CVE-2025-27472 - Windows Mark of the Web Security Feature Bypass Vulnerability
CVE-2025-27727 - Windows Installer Elevation of Privilege Vulnerability
CVE-2025-29792 - Microsoft Office Elevation of Privilege Vulnerability
CVE-2025-29793 - Microsoft SharePoint Remote Code Execution Vulnerability
CVE-2025-29794 - Microsoft SharePoint Remote Code Execution Vulnerability
CVE-2025-29809 - Windows Kerberos Security Feature Bypass Vulnerability
CVE-2025-29812 - DirectX Graphics Kernel Elevation of Privilege Vulnerability
CVE-2025-29822 - Microsoft OneNote Security Feature Bypass Vulnerability

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 58316, 58317, 64432, 64746 - 64757, 64760 - 64762. There are also these Snort 3 rules: 301176 - 301179.

Related vulnerabilities: CVE-2025-27480CVE-2025-29793CVE-2025-27482CVE-2025-27491CVE-2025-27748CVE-2025-26670CVE-2025-29822CVE-2025-29794CVE-2025-26686CVE-2025-27749CVE-2025-29809CVE-2025-27745CVE-2025-29791CVE-2025-27727CVE-2025-29812CVE-2025-27752CVE-2025-29792CVE-2025-26663CVE-2025-27472

Operation ForumTroll exploits zero-days in Google Chrome | Securelist

Incidents

Incidents

25 Mar 2025

minute read

In mid-March 2025, Kaspersky technologies detected a wave of infections by previously unknown and highly sophisticated malware. In all cases, infection occurred immediately after the victim clicked on a link in a phishing email, and the attackers’ website was opened using the Google Chrome web browser. No further action was required to become infected.

All malicious links were personalized and had a very short lifespan. However, Kaspersky’s exploit detection and protection technologies successfully identified the zero-day exploit that was used to escape Google Chrome’s sandbox. We quickly analyzed the exploit code, reverse-engineered its logic, and confirmed that it was based on a zero-day vulnerability affecting the latest version of Google Chrome. We then reported the vulnerability to the Google security team. Our detailed report enabled the developers to quickly address the issue, and on March 25, 2025, Google released an update fixing the vulnerability and thanked us for discovering this attack.

Acknowledgement for finding CVE-2025-2783 (excerpt from security fixes included into Chrome 134.0.6998.177/.178)

We have discovered and reported dozens of zero-day exploits actively used in attacks, but this particular exploit is certainly one of the most interesting we’ve encountered. The vulnerability CVE-2025-2783 really left us scratching our heads, as, without doing anything obviously malicious or forbidden, it allowed the attackers to bypass Google Chrome’s sandbox protection as if it didn’t even exist. The cause of this was a logical error at the intersection of Google Chrome’s sandbox and the Windows operating system. We plan to publish the technical details of this vulnerability once the majority of users have installed the updated version of the browser that fixes it.

Our research is still ongoing, but judging by the functionality of the sophisticated malware used in the attack, it seems the attackers’ goal was espionage. The malicious emails contained invitations supposedly from the organizers of a scientific and expert forum, “Primakov Readings”, targeting media outlets and educational institutions in Russia. Based on the content of the emails, we dubbed the campaign Operation ForumTroll.

Example of a malicious email used in this campaign (translated from Russian)

At the time of writing, there’s no exploit active at the malicious link – it just redirects visitors to the official website of “Primakov Readings”. However, we strongly advise against clicking on any potentially malicious links.

The exploit we discovered was designed to run in conjunction with an additional exploit that enables remote code execution. Unfortunately, we were unable to obtain this second exploit, as in this particular case it would have required waiting for a new wave of attacks and exposing users to the risk of infection. Fortunately, patching the vulnerability used to escape the sandbox effectively blocks the entire attack chain.

All the attack artifacts analyzed so far indicate high sophistication of the attackers, allowing us to confidently conclude that a state-sponsored APT group is behind this attack.

We plan to publish a detailed report with technical details about the zero-day exploit, the sophisticated malware, and the attackers’ techniques.

Kaspersky products detect the exploits and malware used in this attack with the following verdicts:

• Exploit.Win32.Generic
• Trojan.Win64.Agent
• Trojan.Win64.Convagent.gen
• PDM:Exploit.Win32.Generic
• PDM:Trojan.Win32.Generic
• UDS:DangerousObject.Multi.Generic

Indicators of Compromise

primakovreadings[.]info

Latest Posts

Latest Webinars

Reports

In this article, we discuss the tools and TTPs used in the SideWinder APT’s attacks in H2 2024, as well as shifts in its targets, such as an increase in attacks against the maritime and logistics sectors.

Kaspersky researchers analyze EAGERBEE backdoor modules, revealing a possible connection to the CoughingDown APT actor.

While investigating an incident involving the BellaCiao .NET malware, Kaspersky researchers discovered a C++ version they dubbed “BellaCPP”.

Lazarus targets employees of a nuclear-related organization with a bunch of malware, such as MISTPEN, LPEClient, RollMid, CookieTime and a new modular backdoor CookiePlus.

Related vulnerabilities: CVE-2025-2783

This release fixes the following CVEs:

• CVE-2025-1097
• CVE-2025-1098
• CVE-2025-1974
• CVE-2025-24513
• CVE-2025-24514

Unfortunately, to fix CVE-2025-1974 it was necessary to disable the validation of the generated NGINX configuration during the validation of Ingress resources.

The resulting NGINX configuration is still checked before the actual loading, so that there are no failures of the underlying NGINX. However, invalid Ingress resources can lead to the NGINX configuration no longer being able to be updated.

To reduce such situations as far as possible, we therefore recommend enabling annotation validation and disabling snippet annotations. In case of doubt, such states can be determined from the logs of the Ingress NGINX Controller. Watch out for a line of dashes followed by "Error:" telling you what went wrong.

Related vulnerabilities: CVE-2025-24513CVE-2025-24514CVE-2025-1097CVE-2025-1974CVE-2025-1098