Critical Vulnerabilities in Ingress NGINX Controller for Kubernetes Discovered: Urgent Security Update Required

Wiz Research uncovered a series of critical vulnerabilities in the Ingress NGINX Controller for Kubernetes, collectively named “IngressNightmare.” These vulnerabilities, including CVE-2025-1974, CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, and CVE-2025-1098, allow unauthenticated remote code execution (RCE), potentially leading to complete cluster takeover. Here is the advisory from Kubernetes.

Affected Versions: The following version of Ingress NGINX Controller are affected by these vulnerabilities:

Kubernetes Ingress-nginx(1.11.4 and earlier)
Kubernetes Ingress-nginx(1.12.0)
Kubernetes Ingress-nginx(prior to 1.11.0)
Kubernetes Ingress-nginx(1.11.0 through 1.11.4)
Kubernetes Ingress-nginx(1.11.4 and earlier)
Kubernetes Ingress-nginx(1.11.0 through prior to 1.11.5)
Kubernetes Ingress-nginx(1.12.0 through prior to 1.12.1)

Impact: Exploitation of these vulnerabilities enables attackers to inject arbitrary NGINX configurations via the admission controller, leading to RCE within the Ingress NGINX Controller’s pod. Given that the admission controller is often accessible over the network without authentication, this poses a severe security risk. Attackers can gain unauthorized access to all cluster secrets across namespaces, potentially resulting in a complete cluster takeover.

Mitigation:

1. Upgrade Ingress NGINX Controller: Immediately update to versions v1.11.5 or v1.12.1, which contain patches addressing these vulnerabilities.  
2. Disable the Admission Controller (Temporary Mitigation): If an immediate upgrade isn’t feasible, disable the Validating Admission Controller feature to reduce risk:​
   • Helm Installation: Reinstall Ingress NGINX with the Helm value controller.admissionWebhooks.enabled=false.​
   • Manual Installation: Delete the ValidatingWebhookConfiguration named ingress-nginx-admission and modify the ingress-nginx-controller Deployment or DaemonSet by removing –validating-webhook from the controller container’s arguments. ​

Lessons Learned:

1. Secure Admission Controllers: Ensure that admission controllers are not exposed over the network without proper authentication to prevent unauthorized access.​
2. Regular Security Audits: Conduct routine security assessments of Kubernetes components to identify and address potential vulnerabilities proactively.​
3. Timely Patching: Stay updated with security patches and updates from official sources to mitigate known vulnerabilities promptly.​
4. Least Privilege Principle: Limit permissions for creating and managing Ingress objects to trusted users to reduce the potential impact of exploited vulnerabilities.​

By implementing these mitigation strategies and lessons learned, organizations can enhance the security of their Kubernetes environments and protect against potential exploits targeting the Ingress NGINX Controller.