Skip to content
Contact us

Critical Vulnerabilities in Ingress NGINX Controller for Kubernetes

Picture of The 1898 & Co. Team

Recent disclosures have highlighted five critical vulnerabilities in the Ingress NGINX Controller for Kubernetes, collectively termed "IngressNightmare." These vulnerabilities, identified as CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974, pose a significant risk of unauthenticated remote code execution. With a CVSS score of 9.8, these vulnerabilities threaten over 6,500 clusters by exposing them to the public internet. The flaws primarily affect the admission controller component, which is accessible over the network without authentication, allowing attackers to execute arbitrary code and access all cluster secrets.

The vulnerabilities exploit the ability to inject arbitrary NGINX configurations via malicious ingress objects, leading to potential cluster takeovers. Approximately 43% of cloud environments using this controller are vulnerable. The Ingress NGINX Controller uses NGINX as a reverse proxy and load balancer, exposing HTTP and HTTPS routes from outside a cluster to services within it. The elevated privileges and unrestricted network accessibility of the admission controller create a critical escalation path for attackers.

In response to these vulnerabilities, updates have been released for Ingress NGINX Controller versions 1.12.1, 1.11.5, and 1.10.7. Users are urged to update to these versions immediately and ensure that the admission webhook endpoint is not exposed externally. Additional mitigations include limiting access to the Kubernetes API Server and temporarily disabling the admission controller component if not needed.

Threats and Vulnerabilities

The IngressNightmare vulnerabilities present a severe threat to Kubernetes clusters using the Ingress NGINX Controller. CVE-2025-24513 involves improper input validation that could lead to directory traversal and denial-of-service attacks. CVE-2025-24514, CVE-2025-1097, and CVE-2025-1098 allow for arbitrary code execution through various Ingress annotations, potentially exposing secrets accessible to the controller. CVE-2025-1974 enables unauthenticated attackers with pod network access to execute arbitrary code under certain conditions.

These vulnerabilities can be exploited by injecting malicious configurations into the NGINX setup, leading to remote code execution and unauthorized access to sensitive data across namespaces. The potential impact includes complete cluster takeover, with attackers able to read Kubernetes secrets and abuse strong Service Accounts.

Client Impact

Clients using the Ingress NGINX Controller for Kubernetes may face significant operational disruptions due to these vulnerabilities. Unauthorized access could lead to data breaches, financial losses, and reputational damage. The risk of cluster takeover is particularly concerning, as it could result in widespread service outages and loss of control over critical infrastructure.

From a compliance perspective, these vulnerabilities could trigger regulatory challenges and audits, especially if sensitive data is compromised. Organizations must act swiftly to mitigate these risks and ensure compliance with relevant laws and regulations.

Mitigations

To mitigate the risks associated with the IngressNightmare vulnerabilities, clients should take the following actions:

  1. Update the Ingress NGINX Controller to versions 1.12.1, 1.11.5, or 1.10.7 immediately.
  2. Restrict access to the admission webhook endpoint to prevent external exposure.
  3. Limit access to the admission controller to only the Kubernetes API Server.
  4. Temporarily disable the admission controller component if it is not essential.
  5. Regularly review and audit Kubernetes configurations for unauthorized changes.
  6. Implement network segmentation to limit access to critical components.
  7. Monitor for unusual activity or configuration changes within Kubernetes clusters.

By implementing these measures, clients can significantly reduce their exposure to these vulnerabilities. It is crucial to remain vigilant and proactive in monitoring for potential threats and ensuring that security practices are aligned with industry standards.

1898 & Co. Response

1898 & Co is actively addressing the current threat landscape by offering specialized services tailored to mitigate risks associated with the IngressNightmare vulnerabilities. Our team is focused on providing thorough assessments of client environments to identify potential exposures and recommend tailored security enhancements.

We are updating our security protocols to incorporate the latest threat intelligence and best practices for securing Kubernetes environments. Our collaborative efforts with industry allies and government agencies ensure that we remain at the forefront of cybersecurity developments.

Our ongoing research and threat intelligence gathering activities enable us to provide clients with timely insights into emerging threats. We have successfully assisted several organizations in mitigating similar vulnerabilities through targeted interventions and strategic guidance.

Sources

  1. Kubernetes advisory for Ingress-nginx CVE-2025-1974
  2. CVE-2025-1974
  3. CVE-2025-1098
  4. CVE-2025-1097
  5. CVE-2025-24514
  6. CVE-2025-24513