Multiple Ingress-NGINX Controller for Kubernetes Vulnerabilities 'IngressNightmare'

Published: Fri 28 March 2025

Prepared by: Adam Skupien, Vulnerability Security Analyst

Purpose

This bulletin addresses multiple vulnerabilities in the Ingress-NGINX Controller for Kubernetes that, when chained together, could enable an unauthenticated attacker to execute arbitrary code remotely—potentially resulting in a full cluster takeover.

Organisations using Ingress-NGINX controllers within their Kubernetes clusters are urged to follow the remediation steps detailed below. The vulnerabilities were discovered by the Wiz research team, which has dubbed the combined issue 'IngressNightmare.'

On 26 March 2025, the Australian Cyber Security Centre (ACSC) issued an advisory regarding five vulnerabilities affecting the Ingress-NGINX Controller, includiong CVE-2025-1974, which is rated Critical (CVSS 9.8). The ACSC recommended that affected organisations update to the latest version of the Ingress-NGINX Controller in their Kubernetes deployments.

Vulnerability details

On 25 March 2025, the Kubernetes Security Response Committee published a security advisory covering the following vulnerabilities:

• CVE-2025-1097 | CVSSv3 - 8.8
• CVE-2025-1098 | CVSSv3 - 8.8
• CVE-2025-1974 | CVSSv3 - 9.8
• CVE-2025-24513 | CVSSv3 - 4.8
• CVE-2025-24514 | CVSSv3 - 8.8

When chained together, these vulnerabilities can allow unauthenticated remote code execution leading to a full cluster takeover. Although public proof-of-concept exploits are not currently available, GreyNoise.io has reported six IP address associated with an exploit attempt targeting CVE-2025-1974.

Affected versions of the Ingress-NGINX Controller include:

• All versions prior to v1.11.0
• v1.11.0 – 1.11.4
• v1.12.0

If the Ingress-NGINX Controller is not deployed on your cluster, you are not affected.

Impact

Successful exploitation of these flaws could allow an actor to execute arbitrary code, access all cluster secrets across namespaces, and potentially lead to complete cluster takeover.

Mitigation actions

Organisations running affected versions of Ingress-NGINX Controller should take the following actions:

1. Apply patches by upgrading to a secure version:

• All versions prior to 1.11.4 upgrade to 11.5
• 12.0 upgrade to v1.12.1

2. Ensure the admission webhook endpoint is not exposed externally. If you are unsure whether your environment is affected, Wiz has released a tool to detect exposed Ingress-NGINX admission controllers: https://gist.github.com/nirohfeld/7a7c82c62321de9c2ef95d266b241fcb. 

If immediate patching is not an option, it is recommended to enforce strict network policies so that only the Kubernetes API server can access the admission controller, ortemporarily disable the admission controller component.

Detection capabilities

To determine if your environment is using the Ingress-NGINX Controller, run the following command with at least cluster-scoped read-only permissions:

kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx

Qualys customers can scan using QID 382971 to identify potentially effected systems.

Triskele Labs SOC customers using our Monitor (24×7x365 security monitoring) and Vulnerability Scanning services and solutions are being actively assessed and monitored for indicators of compromise (IOCs) and suspicious activity.

References

• https://groups.google.com/g/kubernetes-security-announce/c/2qa9DFtN0cQ
• https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/critical-vulnerabilities-ingress-nginx-controller-kubernetes
• https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
• https://www.tenable.com/blog/cve-2025-1974-frequently-asked-questions-about-ingressnightmare-kubernetes
• https://viz.greynoise.io/query/CVE-2025-1974