Over 6,500 exposed clusters at risk as security researchers uncover high-severity flaws in one of the most widely used Kubernetes components
March 2025 — A series of five critical vulnerabilities affecting the NGINX Ingress Controller for Kubernetes has been publicly disclosed under the collective name IngressNightmare, sparking alarm across the cloud computing and DevSecOps communities. According to Wiz, the cloud security firm that discovered the flaws, attackers can exploit these vulnerabilities to achieve unauthenticated remote code execution (RCE), putting more than 6,500 internet-exposed clusters at immediate risk.
These flaws — CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974 — carry CVSS scores as high as 9.8, making them among the most severe Kubernetes vulnerabilities reported to date.
What’s at stake?
The NGINX Ingress Controller is one of the most popular and trusted tools used to expose Kubernetes services to the outside world. By acting as a reverse proxy and load balancer, it allows external HTTP and HTTPS traffic to reach internal pods based on predefined rules.
Wiz researchers found that due to misconfigurations and insecure default behaviors, an attacker could send malicious AdmissionReview requests directly to the controller’s admission webhook, injecting arbitrary NGINX configurations that lead to RCE and cluster takeover. These attacks are possible without requiring authentication or privileged access.
“The elevated privileges of the admission controller, combined with its unrestricted network exposure, create a critical escalation path,” Wiz explained in their report. “Exploitation allows attackers to access all secrets across all namespaces in the cluster, potentially leading to full compromise.”
Breakdown of vulnerabilities
- CVE-2025-24513 (CVSS 4.8): A directory traversal issue that can cause denial of service or limited secret exposure.
- CVE-2025-24514, CVE-2025-1097, CVE-2025-1098 (CVSS 8.8): Unsafe handling of Ingress annotations (
auth-url,auth-tls-match-cn,mirror-host) that can lead to arbitrary NGINX config injection. - CVE-2025-1974 (CVSS 9.8): Unauthenticated RCE in the admission controller, achievable under specific conditions.
In an experimental attack scenario, researchers demonstrated how to upload a shared library to the pod via NGINX’s request body buffering feature and trigger its execution using ssl_engine—a little-known directive capable of loading external libraries even during config testing with nginx -t.
Impact and affected environments
Wiz estimates that at least 43% of cloud-based Kubernetes environments use the vulnerable controller. More than 6,500 clusters, including those operated by Fortune 500 companies, were found to have publicly exposed admission webhooks — making them highly susceptible to this attack vector.
It’s important to note that these flaws do not affect the NGINX Plus or alternative implementations of the NGINX Ingress Controller.
Official response and mitigation
The Kubernetes Security Response Committee and Ingress-NGINX maintainers worked with Wiz to patch the vulnerabilities. Fixes are included in versions:
- 1.12.1
- 1.11.5
- 1.10.7
Admins are strongly advised to:
- Update immediately to a patched version.
- Ensure the admission webhook endpoint is not publicly accessible.
- Limit access to the webhook strictly to the Kubernetes API server.
- Disable the admission controller temporarily if immediate patching is not feasible.
Wiz has also released a Nuclei scanning template to help organizations detect vulnerable admission controllers in their environments.
A deeper architectural concern
Beyond the immediate danger, IngressNightmare highlights a broader security issue in Kubernetes: admission controllers often run with high privileges and no authentication, while being exposed over the network. According to Wiz, this architecture expands the attack surface unnecessarily and violates the principle of least privilege.
“We were surprised to see just how large and complex the code base behind the admission controller is,” said Hillai Ben-Sasson, cloud security researcher at Wiz. “The risk stems not only from the bugs themselves but from the excessive trust placed in these components by default.”
Final thoughts
The IngressNightmare vulnerabilities are a wake-up call for the Kubernetes community. While the flexibility and extensibility of Kubernetes are major strengths, they must be matched with a robust security posture. Admission controllers — often overlooked — are proving to be one of the most dangerous entry points for attackers.
With public exploits already circulating, cluster administrators are urged to take immediate action. The cost of inaction could include complete loss of control over critical infrastructure and the exposure of sensitive data.
Source: Wiz and Ingress nginx
