Home > Security > Security News

Critical Kubernetes Vulnerability in Ingress NGINX Controller Exposes Thousands of Clusters to Attack 

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

A set of severe vulnerabilities, collectively dubbed IngressNightmare, in the widely used Ingress NGINX Controller for Kubernetes. These unauthenticated remote code execution (RCE) flaws, tracked as CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, and CVE-2025-1974, have been assigned a CVSS score of 9.8.

Ingress NGINX Controller is a core Kubernetes project responsible for routing external traffic to services within Kubernetes clusters. With its prominence highlighted in Kubernetes documentation and over 18,000 stars on GitHub, the tool is a popular choice for managing ingress configurations. 

However, researchers at WIZ Research estimate that 43% of cloud environments utilizing Kubernetes are vulnerable, exposing over 6,500 clusters, including those of Fortune 500 companies, to potential compromise.

Simplified diagram of ingress NGINX controller
Simplified diagram of Ingress NGINX Controller | Source: WIZ

The vulnerabilities stem from flaws in the admission controller component of the tool. This component, designed to validate ingress objects before deployment, is accessible by default over the network without authentication. 

Exploitation allows attackers to inject malicious NGINX configurations via crafted ingress objects, executing arbitrary code on the cluster's pod and gaining unauthorized access to sensitive secrets across all namespaces. This provides a direct path to complete cluster takeover.

The vulnerabilities, which allow the injection of malicious NGINX directives into configuration files validated by nginx -t, demonstrate how attackers could exploit these flaws to upload and execute malicious libraries with elevated privileges.

Wiz disclosed the issues to Kubernetes beginning December 31, 2024, working collaboratively to resolve them. Updated internal patches and versions were released in early 2025. 

The public disclosure was finalized on March 24, 2025, ensuring adequate mitigation steps were in place before making the vulnerabilities known.


Add a Comment
Related
Fake Hiring Challenge for Polish Developers Steals Sensitive Data via FogDoor Backdoor 
Scammers Trying to Gain Account Data Through Semrush Brand Impersonation
Tesla Customers’ Sensitive Details Leak Online on a ‘Protest’ Website Called ‘Dogequest’
Ukrainian Railways Hit by Large-Scale Cyberattack, Operations Remain Stable
VanHelsing Ransomware-as-a-Service Emerges as a Significant Cybersecurity Threat
Italian Transportation Company Sanctioned for Installation of Geolocation System and Failing to Inform Employees
Most Popular
The Last of Us Season 2
"There’s Incredibly Painful Distance Between the two of them": Bella Ramsey & Pedro Pascal talk About The Last of Us Season 2
Fake Hiring Challenge for Polish Developers Steals Sensitive Data via FogDoor Backdoor 
danish court law
SuperBits and DanishBytes Torrent Uploader and ‘The Scene’-Linked Man Sentenced to Prison in Denmark
The Bachelorette
The Bachelorette: Is it Canceled? Who is the next Contestant?
The Bachelor 2025
The Bachelor 2025: Grant Ellis' Final pick Revealed!
Scammers Trying to Gain Account Data Through Semrush Brand Impersonation
"There’s Incredibly Painful Distance Between the two of them": Bella Ramsey & Pedro Pascal talk About The Last of Us Season 2
Fake Hiring Challenge for Polish Developers Steals Sensitive Data via FogDoor Backdoor 
SuperBits and DanishBytes Torrent Uploader and ‘The Scene’-Linked Man Sentenced to Prison in Denmark
The Bachelorette: Is it Canceled? Who is the next Contestant?
The Bachelor 2025: Grant Ellis' Final pick Revealed!
Scammers Trying to Gain Account Data Through Semrush Brand Impersonation

Most Popular
The Last of Us Season 2
"There’s Incredibly Painful Distance Between the two of them": Bella Ramsey & Pedro Pascal talk About The Last of Us Season 2
Fake Hiring Challenge for Polish Developers Steals Sensitive Data via FogDoor Backdoor 
danish court law
SuperBits and DanishBytes Torrent Uploader and ‘The Scene’-Linked Man Sentenced to Prison in Denmark
The Bachelorette
The Bachelorette: Is it Canceled? Who is the next Contestant?
The Bachelor 2025
The Bachelor 2025: Grant Ellis' Final pick Revealed!
Scammers Trying to Gain Account Data Through Semrush Brand Impersonation
"There’s Incredibly Painful Distance Between the two of them": Bella Ramsey & Pedro Pascal talk About The Last of Us Season 2
Fake Hiring Challenge for Polish Developers Steals Sensitive Data via FogDoor Backdoor 
SuperBits and DanishBytes Torrent Uploader and ‘The Scene’-Linked Man Sentenced to Prison in Denmark
The Bachelorette: Is it Canceled? Who is the next Contestant?
The Bachelor 2025: Grant Ellis' Final pick Revealed!
Scammers Trying to Gain Account Data Through Semrush Brand Impersonation

© 2025 TechNadu, a part of Leaprove Media LLP. All Rights Reserved.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: