While many organizations rely on Kubernetes for mission-critical applications, a devastating set of vulnerabilities dubbed “IngressNightmare” has security teams scrambling. This nasty cocktail of five critical flaws in the Ingress NGINX Controller affects versions prior to 1.11.5 and 1.12.1, earning an eye-watering CVSS score of 9.8. Not exactly a minor hiccup.
Security researchers at Wiz identified these vulnerabilities, which currently threaten over 6,500 publicly accessible Kubernetes clusters. Let that sink in. The attack vector specifically targets the admission controller component, which—surprise, surprise—often sits there with unrestricted network accessibility. Classic security oversight.
Over 6,500 Kubernetes clusters exposed, thanks to unrestricted admission controllers sitting wide open like security’s forgotten stepchild.
The exploit chain is brutal in its simplicity. Attackers can inject arbitrary NGINX configuration remotely by sending malicious ingress objects to the admission controller. CVE-2025-24514, CVE-2025-1097, and CVE-2025-1098 allow for configuration directive injection, while CVE-2025-1974 enables the actual remote code execution. Bang! Full cluster compromise.
The potential impact? Devastating. Unauthenticated remote code execution on the controller’s pod, access to all secrets across all namespaces, and potential complete cluster takeover. This affects a whopping 43% of cloud environments. Your super-secure Fortune 500 company? Probably vulnerable too.
Mitigation isn’t rocket science, but it requires immediate action. Update to versions 1.11.5, 1.12.1, or later. Or limit access to the admission controller to only the Kubernetes API Server. The advisory emphasizes the urgent need for remediation given the critical nature of these vulnerabilities. Still dragging your feet? You could temporarily disable the admission controller component if you’re not using it.
Worth noting: this doesn’t affect the separate NGINX Ingress Controller implementation. Small consolation. The discovery was published by Wiz only after Kubernetes patches were prepared to minimize exploitation risks.
Fixed versions were released on March 10, 2025, with public disclosure following on March 24. No public proof-of-concept exploits exist yet, but they’re coming. Count on it. And with 72% of organizations running business-critical databases in Kubernetes environments, the stakes couldn’t be higher.
