Full Report
A set of five critical security shortcomings have been disclosed in the Ingress NGINX Controller for Kubernetes that could result in unauthenticated remote code execution, putting over 6,500 clusters at immediate risk by exposing the component to the public internet. The vulnerabilities (CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974 ), assigned a CVSS score of
Analysis Summary
# Vulnerability: Critical Ingress NGINX Controller Vulnerabilities (IngressNightmare) Leading to Unauthenticated RCE
## CVE Details
- CVE ID: CVE-2025-24513, **CVE-2025-24514**, **CVE-2025-1097**, **CVE-2025-1098**, **CVE-2025-1974**
- CVSS Score: **9.8 (Critical)**
- CWE: Not explicitly detailed, but relates to configuration injection and insecure handling of admission requests.
## Affected Systems
- Products: Ingress NGINX Controller for Kubernetes (specifically the admission controller component).
- Versions: Not explicitly listed, but approximately 43% of cloud environments using this controller are vulnerable.
- Configurations: Affects deployments where the admission controller component is accessible over the network without authentication. Note: This does **not** affect NGINX or NGINX Plus directly.
## Vulnerability Description
A set of five critical vulnerabilities, collectively nicknamed IngressNightmare, affect the admission controller component of the Ingress NGINX Controller for Kubernetes. The core issue resides in the controller's network accessibility combined with its failure to properly authenticate network requests sent to the admission controller. An attacker can exploit this by injecting arbitrary NGINX configuration remotely by sending a malicious ingress object (containing `AdmissionReview` requests) directly to the unauthenticated admission controller.
Specific injection points detailed include:
* **CVE-2025-24514**: `auth-url` Annotation Injection
* **CVE-2025-1097**: `auth-tls-match-cn` Annotation Injection
* **CVE-2025-1098**: `mirror UID` Injection
* **CVE-2025-1974**: NGINX Configuration Code Execution
Exploitation can chain these flaws, for example, by uploading a malicious shared library payload using the NGINX `client-body` buffer feature, followed by sending an `AdmissionReview` request that forces the controller to load this library, leading to Remote Code Execution (RCE).
## Exploitation
- Status: Implied potential for exploitation, described as an "experimental attack scenario."
- Complexity: Likely **Low** given the critical nature and the ability to achieve RCE without authentication.
- Attack Vector: **Network** (Remote).
## Impact
Successful exploitation allows an attacker to execute arbitrary code on the Ingress NGINX Controller's pod, access all secrets stored across all namespaces in the Kubernetes cluster, and potentially lead to **complete cluster takeover**.
- Confidentiality: **High** (Access to all cluster secrets)
- Integrity: **High** (Arbitrary code execution)
- Availability: **High** (Potential cluster disruption)
## Remediation
### Patches
Information regarding specific patched versions was not provided in the text. Users must check official Ingress NGINX Controller releases for updates addressing CVE-2025-24513 through CVE-2025-1974.
### Workarounds
No specific workarounds were detailed, but mitigating the core issue requires securing or isolating network access to the admission controller component until patches are applied (e.g., by restricting network access via firewall rules or network policies).
## Detection
- Indicators of Compromise: Suspicious inbound network connections to the Ingress NGINX Controller admission endpoints, or unexpected execution activity within the controller's pod.
- Detection methods and tools: Monitoring for unusual `AdmissionReview` requests containing suspicious NGINX configuration directives injected in annotations (like `auth-url` or via client-body features).
## References
- Vendor Advisories: Wiz security advisory regarding "IngressNightmare."
- Relevant links:
- [https://github.com/kubernetes/ingress-nginx](https://github.com/kubernetes/ingress-nginx)
- [https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities](https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities) (Defanged)