A total of five serious security flaws have been identified within the Ingress NGINX Controller for Kubernetes, potentially leading to unauthenticated remote code execution (RCE), with over 6,500 clusters susceptible on the public internet. These vulnerabilities, cataloged as CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974, have been collectively named IngressNightmare. Each flaw carries a high severity rating (CVSS score of 9.8) as assigned by the cloud security firm Wiz. It is important to note that these vulnerabilities do not impact the NGINX Ingress Controller, which is a separate implementation designed for similar purposes.
These vulnerabilities pose a major security threat as they allow unauthorized access to sensitive data, potentially compromising entire Kubernetes clusters. IngressNightmare primarily affects the admission controller component of the Ingress NGINX Controller. Approximately 43% of cloud environments are currently vulnerable. This component, which utilizes NGINX for reverse proxy and load balancing, exposes HTTP and HTTPS routes from outside a cluster to its internal services. The crux of the vulnerability lies in the admission controllers, which are deployed within a Kubernetes pod and are network-accessible without authentication.
Breakdown of Key Vulnerabilities
IngressNightmare Vulnerabilities Overview
A set of five critical security flaws collectively termed IngressNightmare have been identified, posing grave risks to cloud clusters. These vulnerabilities—CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974—primarily involve the Ingress NGINX Controller for Kubernetes. The severity of these flaws is underscored by the high CVSS scores they have received, which reflect the significant potential impact on security. Publicly exposed clusters are at particular risk, with the potential for unauthenticated remote code execution, a situation further exacerbated by the widespread deployment of the affected component.
These vulnerabilities can result in unauthorized remote access to a cluster, thereby enabling attackers to perform activities such as secret data extraction, service disruption, and possibly complete cluster takeover. The vulnerabilities primarily affect the NGINX component responsible for exposing HTTP and HTTPS routes, rendering a substantial percentage of cloud environments, around 43%, susceptible to attacks. The flaws arise from insecure configurations around the admission controller, which processes ingress resource definitions and interacts with other Kubernetes elements, making the environment highly susceptible to malicious ingress objects.
CVE Details and Severity
Each of the identified Common Vulnerabilities and Exposures (CVEs) provides a unique pathway for potential breaches. CVE-2025-24513, despite a comparatively lower CVSS score of 4.8, involves improper input validation, which can lead to directory traversal within the container. This flaw might result in denial-of-service attacks or limited secret disclosures. The other CVEs, namely CVE-2025-24514, CVE-2025-1097, and CVE-2025-1098, each hold a CVSS score of 8.8 and relate to the exploitation of various ingress annotations. These annotations, when manipulated, could allow attackers to inject arbitrary configurations, leading to code execution and unpermitted secret extraction.
CVE-2025-1974 is the most critical among these, with a CVSS score of 9.8. It allows unauthenticated attackers who possess pod network access to execute arbitrary code within the controller. This CVE poses a significant threat due to the potential for severe impact, as it can lead to the execution of unauthorized commands, data leaks, and control over multiple components within the Kubernetes ecosystem. The attack surface exposed by these vulnerabilities necessitates an urgent and systematic response to mitigate the risks associated with cloud infrastructure.
Exploitation Mechanisms and Impact
Remote Code Execution and Elevated Privileges
The exploitation mechanism involved in these vulnerabilities focuses on the remote injection of arbitrary NGINX configuration. Attackers can send a malicious ingress object directly to the admission controller, which processes this object without proper authentication. This results in the execution of arbitrary code within the Ingress NGINX Controller’s pod, a pod that typically has elevated privileges and extensive network accessibility. Therefore, the primary impact of this flaw involves unauthorized code execution, allowing the attacker to perform a range of malicious activities across the cluster.
Given the controller’s scope of access and control, once the ingress object is processed, an attacker can escalate privileges and gain access to sensitive data. The critical nature of this vulnerability is exemplified by the ability of attackers to exploit ingress routes to manipulate the NGINX configuration, bypassing security measures meant to protect the internal workings of the cluster. The exposed attack vector not only risks data breaches but also threatens operational integrity, potentially causing significant disruptions in services.
Experimental Attack Demonstrations
An experimental attack demonstrated by security researchers illustrated a plausible scenario wherein malicious actors leverage the NGINX client-body buffer feature to load harmful payloads. By sending manipulated AdmissionReview requests, these payloads are executed in the admission controller. This process allows a threat actor to read sensitive files and execute arbitrary commands, essentially enabling cluster-wide control. The demonstrated attack underlines the importance of secure configurations and vigilant monitoring of ingress objects to prevent such scenarios.
The attack methodology outlined in the research highlights how threat actors could intercept and manipulate ingress traffic, leading to severe security breaches. The researchers’ findings stress the need for robust security practices, particularly focusing on configurations and policies that govern ingress components. The ability to remotely execute arbitrary code and affect interconnected services necessitates a comprehensive approach to securing Kubernetes environments, with a particular focus on ingress-related configurations.
Mitigation and Preventive Measures
Patches and Updates
Following responsible disclosure by the security firm Wiz, the maintainers of the Ingress NGINX Controller released patches in versions 1.12.1, 1.11.5, and 1.10.7. These patches address the identified vulnerabilities and are crucial for mitigating the associated risks. Prompt application of these updates is essential for ensuring the security of affected clusters. Users and administrators are strongly advised to update their instances of the Ingress NGINX Controller to these fixed versions to prevent potential exploitation.
Updating to the latest patched versions, however, only forms part of the necessary security posture. Regular monitoring and auditing of configurations and access permissions are imperative to maintaining a secure environment. A proactive approach to vulnerability management will involve not only applying patches but also understanding the configurations that led to these vulnerabilities, ensuring similar issues can be preemptively addressed in future deployments.
Best Practices for Security
Beyond applying patches, several best practices are recommended to mitigate risks and enhance overall security. Notably, it is advised to restrict access to the admission webhook endpoint, ensuring it is not publicly accessible. Limiting access to only the Kubernetes API Server can significantly reduce the attack surface. Additionally, if the admission controller component is not in use, it should be disabled to eliminate unnecessary risk vectors. Regular audits and adherence to security protocols will further ensure that potential weaknesses are identified and addressed promptly.
Security professionals emphasize the importance of implementing comprehensive security controls that encompass not just patch management, but also configuration best practices. Secure network segmentation, governing access controls, and routine security assessments are critical to safeguarding Kubernetes environments. The Ingress NGINX Controller vulnerabilities highlight a broader need for vigilance and proactive measures within cloud infrastructure to prevent exploitation and ensure data integrity.
Securing Future Cloud Deployments
Importance of Stringent Security Measures
The recent disclosure of critical vulnerabilities within the Ingress NGINX Controller serves as a vivid reminder of the importance of stringent security measures in cloud environments. As Kubernetes continues to gain traction as a preferred platform for deployment and management of containerized applications, the need for robust security protocols throughout the lifecycle of services cannot be overstated. Immediate updates and adherence to best security practices are fundamental in mitigating risks and preventing unauthorized access to sensitive data.
Moving forward, organizations must prioritize security at every level of their infrastructure. This includes routine updates, continuous monitoring for unusual activities, and implementing stringent access control policies. As attackers increasingly target container orchestration platforms, a proactive approach to security will be a critical factor in maintaining operational integrity and protecting valuable assets within cloud environments.
Future Considerations and Developments
Five critical security vulnerabilities have been identified within the Ingress NGINX Controller for Kubernetes. These flaws, labeled CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974, collectively known as IngressNightmare, lead to potential unauthenticated remote code execution (RCE) and affect over 6,500 clusters exposed on the public internet. Each has been assigned a high severity rating of 9.8 by the cloud security firm Wiz. Notably, these vulnerabilities do not impact the NGINX Ingress Controller, which is a different implementation serving similar functions.
The IngressNightmare vulnerabilities present a significant security risk, as they provide unauthorized access to sensitive data and can potentially compromise entire Kubernetes clusters. They primarily affect the admission controller component of the Ingress NGINX Controller, which uses NGINX for reverse proxy and load balancing. Approximately 43% of cloud environments are currently at risk. The crucial element lies within the admission controllers that are deployed in Kubernetes pods and are accessible over the network without requiring authentication.