Five critical vulnerabilities, collectively termed "IngressNightmare," have been identified in the Ingress NGINX Controller for Kubernetes, potentially allowing unauthenticated remote code execution and jeopardizing over 6,500 clusters exposed to the internet.
These vulnerabilities exploit the admission controller component of the Ingress NGINX Controller, which is accessible over the network without authentication. By sending a malicious ingress object, attackers can inject arbitrary NGINX configurations, leading to code execution within the controller's pod.
The specific vulnerabilities include:
- CVE-2025-24513: An improper input validation flaw leading to directory traversal, potentially causing denial-of-service or limited secret disclosure.
- CVE-2025-24514: A flaw in the auth-url Ingress annotation that could allow arbitrary code execution and secret disclosure.
- CVE-2025-1097: An issue in the auth-tls-match-cn Ingress annotation that could allow arbitrary code execution and secret disclosure.
- CVE-2025-1098: A vulnerability in the mirror-target and mirror-host Ingress annotations that could allow arbitrary code execution and secret disclosure.
- CVE-2025-1974: A flaw that allows unauthenticated threat actors with pod network access to achieve arbitrary code execution under certain conditions.
Exploiting these flaws could grant attackers unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster, potentially leading to a complete cluster takeover.
To mitigate these risks, users are advised to update to Ingress NGINX Controller versions 1.12.1, 1.11.5, or 1.10.7, and to ensure that the admission webhook endpoint is not externally exposed.
Source: Bleeping Computer
Analysis
Ingress NGINX Controller for Kubernetes has been affected by multiple security vulnerabilities in the past. For example, in 2023, a series of critical flaws were uncovered that allowed authentication bypass, arbitrary command execution, and code injection.
Another vulnerability, CVE-2022-30535, reported in August 2022, similarly enabled threat actors with permissions to update Ingress objects to extract sensitive secrets accessible to the Ingress NGINX Controller.
Fortunately, there were no publicly documented instances of threat actors actively exploiting these vulnerabilities. However, given their role in managing external traffic to Kubernetes services, any flaw in the implementation of NGINX controllers can lead to serious consequences, including unauthorized access, data exposure, or even full cluster compromise. Organizations relying on Ingress NGINX Controller for Kubernetes should prioritize timely updates, implement strong access controls, and continuously monitor for emerging threats.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software like the Ingress NGINX Controller. Field Effect MDR users are automatically notified if vulnerable software is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect recommends that impacted users update to the latest version as soon as possible and ensure that the recommended security measures are adopted in accordance with the Kubernetes advisory.
Related Articles
