Five critical security vulnerabilities have been found in the Ingress NGINX Controller for Kubernetes, potentially enabling unauthenticated remote code execution. This exposure puts over 6,500 clusters at immediate risk by making the component accessible via the public internet.
The vulnerabilities, CVE-2025-1097, CVE-2025-1098, CVE-2025-24514 and CVE-2025-1974, are a series of unauthenticated Remote Code Execution vulnerabilities in Ingress NGINX Controller for Kubernetes, discovered by Wiz Research, who collectively named them “IngressNightmare.”
According to the researchers, exploitation of these vulnerabilities could lead to “unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster by attackers, which can result in cluster takeover.”
43% of Cloud Environments Are Vulnerable
At the heart of IngressNightmare is the admission controller component of the Ingress NGINX Controller for Kubernetes. Approximately 43% of cloud environments are estimated to be vulnerable. The controller uses NGINX as a reverse proxy and load balancer, making it possible to expose HTTP and HTTPS routes from outside a cluster to services within it.
The vulnerability takes advantage of the fact that admission controllers, deployed within a Kubernetes pod, are accessible over the network without authentication. Specifically, it involves injecting an arbitrary NGINX configuration remotely by sending a malicious ingress object (AdmissionReview requests) directly to the admission controller, resulting in code execution on the Ingress NGINX Controller’s pod.
Wiz researchers said the most serious of the vulnerabilities, CVE-2025-1974, rated 9.8 CVSS, enables anything on the Pod network to exploit configuration injection vulnerabilities via the Validating Admission Controller feature of ingress-nginx.
A Dangerous Vulnerability
“This makes such vulnerabilities far more dangerous: ordinarily, one would need to be able to create an Ingress object in the cluster, which is a fairly privileged action,” said Tabitha Sable, of the Kubernetes Security Response Committee.
“When combined with today’s other vulnerabilities, CVE-2025-1974 means that anything on the Pod network has a good chance of taking over your Kubernetes cluster, with no credentials or administrative access required. In many common scenarios, the Pod network is accessible to all workloads in your cloud VPC, or even anyone connected to your corporate network! This is a very serious situation,” she added.
For more information on the specific vulnerabilities, see the appropriate GitHub issue: CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, or CVE-2025-1974
Processing Inputs Without Sanitization
“The specific methods of exploiting vulnerabilities through annotations and configuration files are somewhat unique to cloud-native applications, but the underlying vulnerability in processing inputs without sanitization is a widely known weakness,” said Anthony Tam, Security Engineering Manager at Tigera.
Taking over the cluster with these vulnerabilities needs initial access to the cluster, which can be seen as a challenge, but the wide adoption of ingress-nginx combined with a high percentage of misconfigured clusters open to the public and the nature of these vulnerabilities being network accessible without authentication is dangerous, adds Tam.
“This emphasizes the importance of having strict network and security policies in place to protect from vulnerabilities before they are announced, given these vulnerabilities can be mitigated if the network access of the admissions controller was limited to only the KubeAPI server,” Tam said.
Leaving the Door Wide Open
“This vulnerability is like leaving your house door wide open,” says Jason Soroko, Senior Fellow at Sectigo. “The Ingress NGINX Controller helps route internet traffic for many companies running Kubernetes, but a flaw lets attackers send bad instructions that let them take control of the system and steal secrets. This flaw is dangerous because it does not require any special access. Many organizations use Kubernetes in the cloud and about 43% of these setups are at risk, meaning thousands of clusters are vulnerable if exposed.”
This kind of bug is not new, says Soroko. “Similar flaws have been exploited in the past to break into systems and grab sensitive data. The actors interested in this type of vulnerability include lone hackers, organized cybercrime groups, and even state-backed teams who want to disrupt services or gain access to valuable information. The simplicity of the attack makes it a tempting target for anyone looking to exploit weak security for their own gain.”
Lack of Effective Access Controls
What stands out is the lack of effective access controls to prevent unauthorized actors from gaining elevated privileges over targeted clusters, added Rom Carmel, Co-Founder and CEO at Apono. “This case underscores the urgent need for a more robust approach to securing Kubernetes—an environment that is dynamic, often ephemeral, yet critical to operations.”
Carmel also said it serves as a strong reminder that many of the tools we rely on demand additional security measures, particularly when it comes to access control. “This aligns with the well-known Shared Responsibility Model in cloud environments: while cloud service providers handle infrastructure maintenance and some baseline security, it’s up to organizations to enforce strong identity and access management (IAM) policies—defining who has access to what, with which privileges, and for how long.”
Given the growing number of authentication failures and access-related vulnerabilities, Carmel added that it is more important than ever for entities to adopt a Zero Standing Privileges (ZSP) approach which combines privilege reduction with Just-in-Time (JIT) access controls, limiting the window of opportunity for malicious activity to take hold.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.