IngressNightmare: Critical Kubernetes Vulnerabilities That Demand Immediate Attention

On March 24, 2025, security researchers from Wiz disclosed a set of critical vulnerabilities collectively named “IngressNightmare” affecting the Ingress NGINX Controller for Kubernetes. With a CVSS score of 9.8 out of 10, these vulnerabilities allow unauthenticated remote code execution that could lead to complete cluster takeover. Organizations running Kubernetes clusters with the affected components should take immediate action to protect their environments.

  Understanding the Vulnerability

IngressNightmare consists of five critical vulnerabilities (CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2025-24513, and CVE-2025-24514) affecting the Ingress NGINX Controller, an open-source controller used for managing network traffic in Kubernetes clusters using NGINX as a reverse proxy and load balancer.

The most concerning issue is that these vulnerabilities can be chained together to allow remote attackers to execute arbitrary code without requiring authentication. This attack vector is similar in severity to the notorious Log4Shell vulnerability that affected many organizations in 2021.

  Impact and Scope

The impact of IngressNightmare is severe and widespread:

• Approximately 43% of cloud environments are vulnerable
• Over 6,500 Kubernetes clusters, including those of Fortune 500 companies, are at immediate risk
• Attackers can gain unauthorized access to all secrets stored across all namespaces
• Exploitation can lead to complete cluster takeover
• Affected clusters with exposed admission controllers are at the highest risk

  How the Exploit Works

The vulnerability exploits weaknesses in the admission controller component of the Ingress NGINX Controller. Here’s how the attack works:

1. The admission controller processes incoming ingress objects to validate them before deployment
2. Due to improper input validation, attackers can inject arbitrary NGINX configuration by sending malicious ingress objects directly to the admission controller
3. During configuration validation, the injected configuration causes the NGINX validator to execute malicious code
4. This leads to remote code execution on the Ingress NGINX Controller’s pod
5. With the controller’s elevated privileges and unrestricted network access, attackers can access all cluster secrets and potentially take over the entire cluster

Specifically, three of the vulnerabilities (CVE-2025-1097, CVE-2025-1098, and CVE-2025-24514) are injection vulnerabilities that can be chained with CVE-2025-1974 to achieve remote code execution and privilege escalation.

  Remediation Steps

To protect your Kubernetes environments from IngressNightmare, follow these remediation steps:

Immediate Actions:

1. Update to patched versions:
   • Ingress NGINX Controller version 1.12.1 (if running 1.12.0)
   • Ingress NGINX Controller version 1.11.5 (if running 1.11.4 or below)
   • Ingress NGINX Controller version 1.10.7 (for older deployments)
2. Verify if your clusters use ingress-nginx with the command:
   kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx

If immediate updating is not possible:

1. Enforce strict network policies so only the Kubernetes API Server can access the admission controller
2. Temporarily disable the admission controller component if it’s not needed:
   • If installed using Helm, reinstall with controller.admissionWebhooks.enabled=false
   • If installed manually, delete the ValidatingWebhookConfiguration called ingress-nginx-admission and remove the --validating-webhook argument from the ingress-nginx-controller container’s Deployment or DaemonSet
3. Ensure the admission webhook endpoint is not exposed externally

  Important Clarification

Note that this vulnerability affects the Ingress NGINX Controller for Kubernetes, but does not affect the similarly named NGINX Ingress Controller from F5.

  How CinchOps Can Help Secure Your Business

Managing vulnerabilities like IngressNightmare requires a proactive security approach. CinchOps offers comprehensive Kubernetes security solutions that can help:

1. Continuous Vulnerability Scanning: Our platform automatically scans your Kubernetes environments to identify vulnerable components before they can be exploited.
2. Automated Patching: Deploy critical security updates across your clusters with minimal downtime and disruption.
3. Network Policy Enforcement: Implement and manage strict network policies to control access to sensitive components like admission controllers.
4. Incident Response Support: In case of a security incident, our team provides expert guidance and support to contain and mitigate the threat.
5. Compliance Monitoring: Ensure your Kubernetes deployments meet industry security standards and compliance requirements.

Discover more about our enterprise-grade and business protecting cybersecurity services on our Cybersecurity page.

Don’t wait for a security breach to take action. Contact CinchOps today to schedule a security assessment of your Kubernetes environments and protect your business from critical vulnerabilities like IngressNightmare.

FREE SECURITY ASSESSMENT