Full Report
Researchers aren’t aware of active exploitation in the wild, but they warn the risk for publicly exposed and unpatched Ingress Nginx controllers is extremely high. The post String of defects in popular Kubernetes component puts 40% of cloud environments at risk appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Ingress Nginx Controller "IngressNightmare" Chain Leading to RCE
## CVE Details
- CVE ID: CVE-2025-1974 (Critical RCE), CVE-2025-1097, CVE-2025-1098, CVE-2025-24513, CVE-2025-24514
- CVSS Score: 9.8 (for CVE-2025-1974)
- CWE: Not explicitly listed, but exploitation path suggests Injection/Configuration flaws leading to RCE.
## Affected Systems
- Products: Ingress Nginx Controller for Kubernetes
- Versions: All publicly exposed and unpatched versions prior to the release of the fixes mentioned.
- Configurations: Default configuration makes systems vulnerable. Risk is high for publicly exposed instances.
## Vulnerability Description
A series of five vulnerabilities, dubbed "IngressNightmare," affect the popular Ingress Nginx Controller. The most critical flaw, **CVE-2025-1974**, allows for unauthenticated Remote Code Execution (RCE). This RCE can be achieved by chaining CVE-2025-1974 with one of three other high-severity configuration injection vulnerabilities: CVE-2025-1097, CVE-2025-1098, or CVE-2025-24514. Successful exploitation grants an attacker the ability to take over the entire Kubernetes cluster, including accessing cluster-wide secrets such as passwords and tokens.
## Exploitation
- Status: PoC available (explicitly mentioned that exploit code is starting to be published online). No active exploitation in the wild reported as of the article date, but risk is extremely high.
- Complexity: Low (The exploit chain is unauthenticated and works in default configurations).
- Attack Vector: Network (Targeted at publicly exposed Ingress controllers).
## Impact
- Confidentiality: High (Access to cluster-wide secrets).
- Integrity: High (Potential for full cluster takeover).
- Availability: High (Full cluster compromise severely impacts availability).
## Remediation
### Patches
Patches were released by Ingress Nginx maintainers on Monday (March 24, 2025, inferred):
- Fixes available for CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2025-24513, and CVE-2025-24514.
- Administrators should refer to the `kubernetes/ingress-nginx/releases` GitHub repository for specific patched versions.
### Workarounds
- Immediately remediate publicly-exposed instances on an urgent basis.
- While not explicitly detailed, general workarounds would involve restricting network access to the Ingress controller until patching is complete.
## Detection
- Indicators of compromise: Look for unexpected process execution or configuration changes within Kubernetes pods managed by the Ingress controller.
- Detection methods and tools: Monitoring network traffic targeting the ingress points for anomalous requests associated with exploit patterns for CVE-2025-1974. Security scanning tools capable of identifying vulnerable Kubernetes components should be prioritized.
## References
- Wiz blog post detailing the vulnerabilities: hxxps://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
- Kubernetes official advisory blog post: hxxps://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/
- NVD links for specific CVEs are provided in the context, but specific NVD URLs are omitted here per requirement.