Summary

Wiz Research has uncovered multiple critical unauthenticated remote code execution (RCE) vulnerabilities in theIngress NGINX Controller for Kubernetes, collectively known as IngressNightmare. These vulnerabilities enable attackers to execute arbitrary commands within the Ingress NGINX Controller’s pod without requiring authentication. As a result, they may gain unauthorized access to all secrets stored across namespaces in the Kubernetes cluster, ultimately leading to a full cluster compromise. Exploitation of these flaws poses severe security risks, including lateral movement within the environment and data exfiltration. The identified vulnerabilities include:

• CVE-2025-1097: Insecure validation of ingress objects allowing remote command injection.
• CVE-2025-1098: Unsafe handling of user-supplied input leading to arbitrary command execution.
• CVE-2025-24514: Malicious ingress objects enabling arbitrary NGINX configuration injection.
• CVE-2025-1974: Bypass of security controls, resulting in unauthorized execution of commands.

Affected Systems and/or Applications

Ingress NGINX Controller versions prior to 1.12.1 and 1.11.5 are vulnerable.

Technical Details

Each of the identified vulnerabilities presents a unique risk to Kubernetes environments:

• CVE-2025-1097: Ingress NGINX Controller Configuration Injection via Unsanitized auth-tls-match-cn Annotation. This vulnerability arises from the improper handling of the nginx.ingress.kubernetes.io/auth-tls-match-cn annotation. The controller fails to adequately sanitize this input, allowing attackers to inject arbitrary NGINX configurations. By crafting a malicious ingress object with a specially formatted auth-tls-match-cn annotation, an attacker can manipulate the NGINX configuration to execute unauthorized commands within the ingress controller’s pod.
• CVE-2025-1098: Ingress NGINX Controller Configuration Injection via Unsanitized Mirror Annotations. This issue is due to insufficient input validation in the nginx.ingress.kubernetes.io/mirror-target andnginx.ingress.kubernetes.io/mirror-host annotations. Attackers can exploit this flaw by injecting malicious configurations through these annotations, leading to arbitrary command execution within theNGINX worker processes. This can result in unauthorized access to the pod and potentially to cluster-wide secrets.
• CVE-2025-24514: Ingress NGINX Controller via Unsanitized Auth-URL Annotation. This vulnerability involves the nginx.ingress.kubernetes.io/auth-url annotation, which is improperly sanitized when incorporated into the NGINX configuration. An attacker can craft a malicious ingress object with a specially formatted auth-url annotation to inject arbitrary NGINX directives. This injection can lead to unauthorized command execution within the ingress controller’s pod.
• CVE-2025-1974: Ingress NGINX Admission Controller Remote Code Execution. This critical vulnerability allows an unauthenticated attacker with access to the pod network to achieve arbitrary code execution within the ingress-nginx controller. Exploiting this flaw can lead to the disclosure of secrets accessible to the controller, potentially resulting in a complete cluster takeover.

Mitigation & Recommendations

• Immediate Upgrade: Upgrade to Ingress NGINX Controller versions 1.12.1 or 1.11.5 or later.
• Restrict Access: Ensure that the admission webhook endpoint is not exposed externally. Implement strict network policies to restrict access to the admission controller, allowing only the Kubernetes API Server to communicate with it.
• Temporary Disabling: If immediate upgrading is not feasible, consider temporarily disabling the admission controller component:
  • For Helm installations: Reinstall with controller.admissionWebhooks.enabled=false.
  • For manual installations: Delete the ValidatingWebhookConfiguration named ingress-nginx-admission and remove the –validating-webhook argument from the ingress-nginx-controller container’s Deployment or DaemonSet.
  • Note: Remember to re-enable the Validating Admission Controller after upgrading, as it provides essential safeguards for your Ingress configurations.
• Monitor and Audit: Regularly monitor logs and network traffic for unusual activity or unauthorized ingress object creations. Specifically observe:
  • Unusual process executions within Ingress NGINX Controller pods.
  • Unexpected outbound connections initiated from the controller pods.
  • Log entries containing unexpected ingress object creations or modifications.

What the Cyber Fusion Center is Doing

The CFC will continue to monitor the situation and send an advisory update if needed. Immediate action is required to mitigate potential exploitation by applying patches, restricting access, and enhancing security monitoring.Organizations should prioritize these measures to safeguard their cloud environments against potential threats.

Clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.

References

• https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
• Kubernetes Best Practices: Kubernetes Documentation
• NGINX Ingress Controller Updates: NGINX Ingress Controller GitHub Repository