A set of 5 essential safety shortcomings have been disclosed within the Ingress NGINX Controller for Kubernetes that might lead to unauthenticated distant code execution, placing over 6,500 clusters at speedy threat by exposing the element to the general public web.
The vulnerabilities (CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974 ), assigned a CVSS rating of 9.8, have been collectively codenamed IngressNightmare by cloud safety agency Wiz. It is price noting that the shortcomings don’t impression NGINX Ingress Controller, which is one other ingress controller implementation for NGINX and NGINX Plus.
“Exploitation of those vulnerabilities results in unauthorized entry to all secrets and techniques saved throughout all namespaces within the Kubernetes cluster by attackers, which may end up in cluster takeover,” the corporate mentioned in a report shared with The Hacker Information.
IngressNightmare, at its core, impacts the admission controller element of the Ingress NGINX Controller for Kubernetes. About 43% of cloud environments are weak to those vulnerabilities.
Ingress NGINX Controller makes use of NGINX as a reverse proxy and cargo balancer, making it attainable to reveal HTTP and HTTPS routes from outdoors a cluster to providers inside it.
The vulnerability takes benefit of the truth that admission controllers, deployed inside a Kubernetes pod, are accessible over the community with out authentication.
Particularly, it entails injecting an arbitrary NGINX configuration remotely by sending a malicious ingress object (aka AdmissionReview requests) on to the admission controller, leading to code execution on the Ingress NGINX Controller’s pod.
“The admission controller’s elevated privileges and unrestricted community accessibility create a essential escalation path,” Wiz defined. “Exploiting this flaw permits an attacker to execute arbitrary code and entry all cluster secrets and techniques throughout namespaces, that might result in full cluster takeover.”
The shortcomings are listed under –
- CVE-2025-24514 – auth-url Annotation Injection
- CVE-2025-1097 – auth-tls-match-cn Annotation Injection
- CVE-2025-1098 – mirror UID Injection
- CVE-2025-1974 – NGINX Configuration Code Execution
In an experimental assault situation, a menace actor might add a malicious payload within the type of a shared library to the pod through the use of the client-body buffer function of NGINX, adopted by sending an AdmissionReview request to the admission controller.
The request, in flip, accommodates one of many aforementioned configuration directive injections that causes the shared library to be loaded, successfully resulting in distant code execution.
Hillai Ben-Sasson, cloud safety researcher at Wiz, advised The Hacker Information that the assault chain basically entails injecting malicious configuration, and using it to learn delicate recordsdata and run arbitrary code. This might subsequently allow an attacker to abuse a powerful Service Account with a purpose to learn Kubernetes secrets and techniques and in the end facilitate cluster takeover.
Following accountable disclosure, the vulnerabilities have been addressed in Ingress NGINX Controller variations 1.12.1, 1.11.5, and 1.10.7.
Customers are advisable to replace to the newest model as quickly as attainable and make sure that the admission webhook endpoint will not be uncovered externally.
As mitigations, it is suggested to restrict solely the Kubernetes API Server to entry the admission controller and quickly disable the admission controller element if it is not wanted.
