A set of 5 vital security shortcomings have been disclosed within the Ingress NGINX Controller for Kubernetes that would lead to unauthenticated distant code execution, placing over 6,500 clusters at speedy danger by exposing the part to the general public web.
The vulnerabilities (CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974 ), assigned a CVSS rating of 9.8, have been collectively codenamed IngressNightmare by cloud security agency Wiz. It is price noting that the shortcomings don’t influence NGINX Ingress Controller, which is one other ingress controller implementation for NGINX and NGINX Plus.
“Exploitation of those vulnerabilities results in unauthorized entry to all secrets and techniques saved throughout all namespaces within the Kubernetes cluster by attackers, which may end up in cluster takeover,” the corporate stated in a report shared with The Hacker Information.
IngressNightmare, at its core, impacts the admission controller part of the Ingress NGINX Controller for Kubernetes. About 43% of cloud environments are susceptible to those vulnerabilities.
Ingress NGINX Controller makes use of NGINX as a reverse proxy and cargo balancer, making it attainable to show HTTP and HTTPS routes from outdoors a cluster to companies inside it.
The vulnerability takes benefit of the truth that admission controllers, deployed inside a Kubernetes pod, are accessible over the community with out authentication.
Particularly, it entails injecting an arbitrary NGINX configuration remotely by sending a malicious ingress object (aka AdmissionReview requests) on to the admission controller, leading to code execution on the Ingress NGINX Controller’s pod.
“The admission controller’s elevated privileges and unrestricted community accessibility create a vital escalation path,” Wiz defined. “Exploiting this flaw permits an attacker to execute arbitrary code and entry all cluster secrets and techniques throughout namespaces, that would result in full cluster takeover.”
The shortcomings are listed beneath –
- CVE-2025-24514 – auth-url Annotation Injection
- CVE-2025-1097 – auth-tls-match-cn Annotation Injection
- CVE-2025-1098 – mirror UID Injection
- CVE-2025-1974 – NGINX Configuration Code Execution
In an experimental assault situation, a menace actor may add a malicious payload within the type of a shared library to the pod through the use of the client-body buffer characteristic of NGINX, adopted by sending an AdmissionReview request to the admission controller.
The request, in flip, accommodates one of many aforementioned configuration directive injections that causes the shared library to be loaded, successfully resulting in distant code execution.
Hillai Ben-Sasson, cloud security researcher at Wiz, informed The Hacker Information that the assault chain primarily entails injecting malicious configuration, and using it to learn delicate information and run arbitrary code. This might subsequently allow an attacker to abuse a powerful Service Account so as to learn Kubernetes secrets and techniques and finally facilitate cluster takeover.
Following accountable disclosure, the vulnerabilities have been addressed in Ingress NGINX Controller variations 1.12.1, 1.11.5, and 1.10.7.
Customers are beneficial to replace to the most recent model as quickly as attainable and make sure that the admission webhook endpoint isn’t uncovered externally.
As mitigations, it is suggested to restrict solely the Kubernetes API Server to entry the admission controller and quickly disable the admission controller part if it is not wanted.
