Full Report
Over 40% of cloud environments are vulnerable to RCE, likely leading to a complete cluster takeover.
Analysis Summary
# Vulnerability: IngressNightmare - RCE in Ingress NGINX Controller Admission Controller
## CVE Details
- CVE ID: CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974 (A series of vulnerabilities, collectively referred to as IngressNightmare)
- CVSS Score: 9.8 (Critical)
- CWE: Not explicitly listed, but relates to insecure deserialization/configuration processing leading to RCE.
## Affected Systems
- Products: Ingress NGINX Controller for Kubernetes
- Versions: Versions prior to 1.12.1 and 1.11.5 (Specific versions not fully detailed beyond the fixed versions). Vulnerable configurations involve an externally exposed admission controller endpoint.
- Configurations: When the admission controller component is accessible over the network without proper authentication restrictions. Approximately 43% of cloud environments were estimated to be vulnerable.
## Vulnerability Description
The vulnerability resides within the admission controller component of the Ingress NGINX Controller for Kubernetes. This component is designed to validate incoming Kubernetes ingress objects by constructing an NGINX configuration and validating it using the NGINX binary. Attackers can exploit this by sending a malicious ingress object directly to the unauthenticated admission controller over the network. This malicious object injects an arbitrary NGINX configuration, which tricks the NGINX validator into executing arbitrary code (RCE) within the Ingress NGINX Controller's pod. Due to the elevated privileges of the admission controller, successful exploitation allows unauthorized access to all secrets stored across all namespaces in the cluster, potentially leading to complete cluster takeover.
## Exploitation
- Status: Proof-of-Concept (PoC) likely available, as researchers provided technical details and warnings about immediate risk. The attack vector is well-defined.
- Complexity: Low (Implied, given the high CVSS score and exposure to the public internet).
- Attack Vector: Network (Remote, unauthenticated access to the admission controller endpoint).
## Impact
- Confidentiality: High (Access to all secrets across all namespaces).
- Integrity: High (Arbitrary code execution on the ingress controller pod).
- Availability: High (Potential for complete cluster takeover).
## Remediation
### Patches
- Update to Ingress NGINX Controller **version 1.12.1** or higher.
- Update to Ingress NGINX Controller **version 1.11.5** or higher.
### Workarounds
If immediate upgrade is not possible:
1. **Network Segmentation:** Enforce strict network policies so only the Kubernetes API Server can access the admission controller endpoint.
2. **Disable Admission Controller:**
* **Helm Install:** Reinstall using `controller.admissionWebhooks.enabled=false`.
* **Manual Install:** Delete the `ValidatingWebhookConfiguration` named `ingress-nginx-admission` and remove the `--validating-webhook` argument from the `ingress-nginx-controller` container’s Deployment or DaemonSet specifications. (Note: This configuration must be re-enabled after upgrading.)
## Detection
- **Identification:** Check for exposure of ingress-nginx:
`kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx`
- **External Check:** Use a Nuclei template (linked in the source material) to check for externally exposed Ingress-NGINX admission controllers.
- **Runtime Monitoring:** Monitor ingress traffic for malicious admission review requests and flag anomalous library loads, as specialized sensors (like Wiz Runtime Sensor) can detect these zero-day activities in real-time.
## References
- Vendor Advisory: Kubernetes blog post regarding CVE-2025-1974 (link provided in original source).
- Disclosure Timeline: Detailed timeline available from December 31, 2024, to March 24, 2025.
- Research Team: Wiz Research