Several critical vulnerabilities have been discovered by Wiz researchers in the Ingress NGINX Controller for Kubernetes, known as ingress-nginx, which could potentially allow attackers to take control of Kubernetes clusters. The analysis conducted by the researchers revealed that approximately 43% of cloud environments are susceptible to these vulnerabilities. They identified over 6,500 clusters, including those belonging to Fortune 500 companies, that expose vulnerable Kubernetes ingress controllers’ admission controllers to the public internet, posing an immediate critical risk.
The vulnerabilities, collectively named “IngressNightmare,” affect the widely used open-source controller that manages network traffic in Kubernetes clusters. Ingress NGINX Controller for Kubernetes utilizes NGINX web server as a reverse proxy and load balancer. Ingress, a Kubernetes feature used to expose workload pods externally, employs nginx configurations based on Ingress objects to route external traffic to applications within Kubernetes clusters.
The vulnerabilities within IngressNightmare allow unauthenticated attackers to manipulate nginx behavior by serving a specially-crafted Ingress object. The specific vulnerabilities identified include CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974, and CVE-2025-24513, each enabling different forms of configuration injection or arbitrary code execution within the context of the ingress-nginx controller.
Of these vulnerabilities, CVE-2025-1974, with a CVSS rating of 9.8, poses the most severe threat as it allows exploitation of configuration injection vulnerabilities via the Validating Admission Controller feature of ingress-nginx. This vulnerability, when combined with others, grants anything on the Pod network the ability to potentially take control of a Kubernetes cluster without requiring credentials or administrative access.
To address these critical vulnerabilities, Wiz researchers have provided technical details and a video demonstration of the RCE exploit. The maintainers of ingress-nginx have released fixes in versions v1.12.1 and v1.11.5, urging cluster admins to implement these updates immediately. Additionally, temporarily disabling the Validating Admission Controller feature of ingress-nginx can reduce the risk, with a reminder to re-enable the feature post-upgrade for enhanced user experience.
Implementing strict network policies to limit access to the admission controller to only the Kubernetes API Server has also been suggested as a mitigation strategy. AWS has clarified that Amazon Elastic Kubernetes Service does not install the ingress-nginx controller and is not affected by these vulnerabilities. However, customers who installed this controller on their clusters are advised to update to the latest version. Similarly, Google Cloud has issued guidance for Google Kubernetes Engine users to update their installations.
Overall, it is crucial for organizations utilizing Kubernetes clusters with the ingress-nginx controller to promptly address these vulnerabilities to safeguard their environments from potential exploitation by malicious actors.