More than 40% of all internet-facing Kubernetes clusters are vulnerable to a newly disclosed set of critical security flaws, dubbed IngressNightmare. These vulnerabilities affect the Ingress NGINX Controller and could allow attackers to gain complete control over affected clusters. Given the widespread use of Kubernetes in enterprise environments, the impact is significant.
The Scope of the Threat
Researchers at Wiz identified four vulnerabilities in the Ingress NGINX Controller, a popular Kubernetes component responsible for managing external traffic to internal services. Three of these flaws: CVE-2025-24514, CVE-2025-1097, and CVE-2025-1098—enable attackers to manipulate NGINX configurations, potentially bypassing security controls. However, the most severe issue, CVE-2025-1974, acts as a gateway to remote code execution when combined with the other three, giving attackers the ability to take over entire Kubernetes clusters.
How the IngressNightmare Attack Works
The core issue lies in how the Ingress NGINX Controller’s admission controller processes incoming objects. By exploiting weak validation mechanisms, attackers can inject unauthorized NGINX directives, executing arbitrary commands on the system. This could lead to:
- Remote code execution (RCE) within the Ingress NGINX Controller pod
- Unauthorized access to Kubernetes secrets across namespaces
- Complete cluster compromise without requiring authentication
Kubernetes maintainers have rated CVE-2025-1974 with a CVSS score of 9.8, highlighting the urgency of the situation.
IngressNightmare – Who is at Risk?
Any organization running an affected version of Ingress NGINX Controller—especially those exposing their admission controllers to the internet—is at risk. Researchers warn that thousands of clusters, including those used by Fortune 500 companies, could be vulnerable. Even in cases where admission controllers are not directly exposed, attackers could exploit weaknesses through Server-Side Request Forgery (SSRF) vulnerabilities in other applications.
Mitigation and Next Steps
The Kubernetes maintainers have released patches to address these vulnerabilities in Ingress NGINX Controller versions 1.12.1, 1.11.5, and 1.10.7. Organizations are urged to update immediately. For those unable to patch right away, the following steps can help mitigate the risk:
- Restrict access to the admission controller, allowing only the Kubernetes API server to communicate with it.
- Disable the admission controller if it is not essential to your environment.
- Conduct an audit of your cluster’s network exposure to ensure unnecessary components are not publicly accessible.
Security experts emphasize that admission controllers should never be exposed to the public internet, yet misconfigurations often leave them accessible. Regular security reviews and proactive monitoring are essential in preventing such risks.
Final Thoughts
The IngressNightmare vulnerabilities serve as a reminder of how misconfigurations and overlooked security gaps can have severe consequences in Kubernetes environments. Organizations that rely on Kubernetes for business-critical applications should act swiftly to patch affected systems and enforce stronger security controls. In a landscape where attackers constantly look for weak points, proactive defense is the best strategy.
Subscribe to CybrWolf to learn more.