Security Vulnerabilities Discovered in Ingress NGINX Controller, Potentially Exposing Over 6,500 Kubernetes Clusters
A suite of five significant security vulnerabilities has been identified within the Ingress NGINX Controller for Kubernetes. These weaknesses could lead to unauthorized remote code execution, jeopardizing the security of more than 6,500 clusters that are currently exposed to the public internet. The vulnerabilities have been assigned a critical CVSS score of 9.8 and have been collectively dubbed IngressNightmare by Wiz, a cloud security firm.
The vulnerabilities in question—CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974—raise serious concerns about data confidentiality and integrity. Exploitation could allow malicious actors to gain unauthorized access to all secrets stored across Kubernetes namespaces, thereby enabling a potential cluster takeover. Notably, these vulnerabilities do not affect the NGINX Ingress Controller, an alternative implementation.
The Ingress NGINX Controller interacts as a reverse proxy and load balancer within Kubernetes, making it essential for exposing external HTTP and HTTPS routes to internal services. However, the vulnerabilities exploit a design flaw in the admission controller associated with the Ingress NGINX Controller, making this component accessible over the network without any authentication.
A specific attack vector involves transmitting malicious ingress objects—also known as AdmissionReview requests—directly to the admission controller, allowing attackers to inject arbitrary NGINX configurations. Such manipulation can lead to code execution within the Ingress NGINX Controller’s pod. This chain of events underscores the elevated privileges of admission controllers and their unrestricted network accessibility, creating a dangerous escalation path for potential attackers.
The documented vulnerabilities can be leveraged through various means. For instance, CVE-2025-24514 allows attackers to inject malicious configurations via the auth-url Ingress annotation, effectively leading to code execution in the context of the ingress-nginx controller. Similarly, CVE-2025-1974 enables unauthenticated access to arbitrary code execution under certain conditions if the attacker can access the pod network.
In light of these findings, the Kubernetes Security Response Committee has urged users to upgrade to the latest versions of the Ingress NGINX Controller (1.12.1, 1.11.5, and 1.10.7) to mitigate the risks. Furthermore, it is recommended that the admission webhook endpoint not be exposed externally and that access to the admission controller be restricted to the Kubernetes API Server.
As a precautionary measure, organizations are also advised to temporarily disable the admission controller component if it is not in use, thereby reducing the potential attack surface.
Cybersecurity researchers from ProjectDiscovery have highlighted that the vulnerability, particularly CVE-2025-1974, stems from a design flaw in how the admission controller processes ingress objects. By exploiting this flaw, a skilled attacker could effectively launch a chain of attacks leading to the disclosure of Kubernetes secrets and potentially a full cluster takeover.
Given the gravity of these vulnerabilities and the large pool of affected targets, vigilance is paramount for organizations utilizing Kubernetes in their cloud environments. The risk of exploitation poses not only a significant threat to data security but also to overall operational integrity. Therefore, adopting best practices for configuring Kubernetes environments is crucial in safeguarding against these vulnerabilities.
